Cross-site Scripting (XSS)
Affecting dompurify package, versions <0.8.0 >=0.7.3
dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks. SVG tags are case sensitive, but DOMPurify transforms these tags to lowercase. This causes the SVG document to render incorrectly, and may trigger a flaw in the Opera browser.
You can read more about
Cross-site Scripting (XSS) on our blog.
dompurify to version 0.8.0 or higher.
Do your applications use this vulnerable package?
- Snyk ID
- 11 Apr, 2016
- 24 Apr, 2017