Description
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
This renders dompurify unable to avoid XSS attack.
Fixed by https://github.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.1.3 < 2.5.4** Patched version(s): **3.1.3 2.5.4**
References
Related Issues
- Command Injection in lodash (GHSA-35jh-r3h4-6jhm) - CVE-2021-23337
- Regular Expression Denial of Service in papaparse - CVE-2020-36649
- Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
- Regular Expression Denial of Service in jsoneditor - CVE-2021-3822
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on September 16, 2024