Cross-site Scripting (XSS)

Affecting dompurify package, versions <0.8.0 >=0.7.3

medium severity

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks. SVG tags are case sensitive, but DOMPurify transforms these tags to lowercase. This causes the SVG document to render incorrectly, and may trigger a flaw in the Opera browser.

You can read more about Cross-site Scripting (XSS) on our blog.

Remediation

Upgrade dompurify to version 0.8.0 or higher.

References

Credit
jampy
CWE
CWE-79
Snyk ID
npm:dompurify:20160412
Disclosed
11 Apr, 2016
Published
24 Apr, 2017

Do your applications use this vulnerable package?