Affecting dompurify package, versions <0.3
dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.
You can read more about
Insecure Defaults on our blog.
dompurify to version 0.3 or higher.
Do your applications use this vulnerable package?
- Snyk ID
- 07 Mar, 2014
- 24 Apr, 2017