Insecure Defaults

Affecting dompurify package, versions <0.3

medium severity

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.

You can read more about Insecure Defaults on our blog.

Remediation

Upgrade dompurify to version 0.3 or higher.

References

Credit
cure53
CWE
CWE-79
Snyk ID
npm:dompurify:20140308
Disclosed
07 Mar, 2014
Published
24 Apr, 2017

Do your applications use this vulnerable package?