Description
DOMPurify allows ADD_ATTR to be provided as a predicate function via EXTRA_ELEMENT_HANDLING.attributeCheck. When the predicate returns true, _isValidAttribute short-circuits the attribute check before URI-safe validation runs.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.3.1
- Patched version(s): 3.3.2
References
Related Issues
- DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) - CVE-2026-41240
- DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation - Vulnerability
- Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify - Vulnerability
- ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign - CVE-2020-14966
You might also like:
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on April 03, 2026