Cross-site Scripting (XSS)

Affecting dompurify package, versions <0.4.4 

medium severity

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of the package are vulnerable to Cross-site Scripting (XSS) which is caused by Double-Clobbering.

You can read more about Cross-site Scripting (XSS) on our blog.

Remediation

Upgrade dompurify to version 0.4.4 or higher.

Referencesּּ

Credit
Mathias Karlsson
CWE
CWE-79
Snyk ID
npm:dompurify:20141008
Disclosed
07 Oct, 2014
Published
24 Apr, 2017

Do your applications use this vulnerable package?