Insecure Defaults
Affecting dompurify package, versions <0.3
medium severity
Overview
dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.
You can read more about Insecure Defaults on our blog.
Remediation
Upgrade dompurify to version 0.3 or higher.
References
- Credit
- cure53
- CWE
- CWE-79
- Snyk ID
- npm:dompurify:20140308
- Disclosed
- 07 Mar, 2014
- Published
- 24 Apr, 2017