cure53 · Sep 24, 2020
diff --git a/‎dist/purify.cjs.js
+6-6 b/‎dist/purify.cjs.js
+6-6
diff --git a/‎dist/purify.cjs.js.map
+1-1 b/‎dist/purify.cjs.js.map
+1-1
diff --git a/‎dist/purify.es.js
+6-6 b/‎dist/purify.es.js
+6-6
diff --git a/‎dist/purify.es.js.map
+1-1 b/‎dist/purify.es.js.map
+1-1
diff --git a/‎dist/purify.js
+6-6 b/‎dist/purify.js
+6-6
diff --git a/‎dist/purify.js.map
+1-1 b/‎dist/purify.js.map
+1-1
diff --git a/‎dist/purify.min.js
+1-1 b/‎dist/purify.min.js
+1-1
diff --git a/‎dist/purify.min.js.map
+1-1 b/‎dist/purify.min.js.map
+1-1
diff --git a/‎src/purify.js
+9-9 b/‎src/purify.js
+9-9
@@ -643,6 +643,15 @@ function createDOMPurify(window = getGlobal()) {
       allowedTags: ALLOWED_TAGS,
     });
 
+    /* Take care of an mXSS pattern using p, br inside svg, math */
+    if (
+      (tagName === 'svg' || tagName === 'math') &&
+      currentNode.querySelectorAll('p, br').length !== 0
+    ) {
+      _forceRemove(currentNode);
+      return true;
+    }
+
     /* Detect mXSS attempts abusing namespace confusion */
     if (
       !_isNode(currentNode.firstElementChild) &&
@@ -840,15 +849,6 @@ function createDOMPurify(window = getGlobal()) {
         continue;
       }
 
-      /* Take care of an mXSS pattern using namespace switches */
-      if (
-        regExpTest(/svg|math/i, currentNode.namespaceURI) &&
-        regExpTest(/<\//, value)
-      ) {
-        _removeAttribute(name, currentNode);
-        continue;
-      }
-
       /* Sanitize attribute content to be template-safe */
       if (SAFE_FOR_TEMPLATES) {
         value = stringReplace(value, MUSTACHE_EXPR, ' ');