DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
- Severity:
- Medium
Description
In src/purify.ts:1117-1123, ADD_TAGS as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) bypasses FORBID_TAGS due to short-circuit evaluation.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.3.3
- Patched version(s): 3.4.0
References
Related Issues
- DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) - CVE-2026-41240
- SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimenta - Vulnerability
- DOMPurify ADD_ATTR predicate skips URI validation - Vulnerability
- ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function - CVE-2024-9506
You might also like:
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on April 16, 2026