Affecting dompurify package, versions <0.3
dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.
You can read more about
Insecure Defaults on our blog.
dompurify to version 0.3 or higher.
- Snyk ID
- 07 Mar, 2014
- 24 Apr, 2017