Insecure Defaults
Affecting dompurify package, versions <0.3
medium severity
Overview
dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.
You can read more about Insecure Defaults on our blog.
Remediation
Upgrade dompurify to version 0.3 or higher.
References
Do your applications use this vulnerable package?
- Credit
- cure53
- CWE
- CWE-79
- Snyk ID
- npm:dompurify:20140308
- Disclosed
- 07 Mar, 2014
- Published
- 24 Apr, 2017