Cross-site Scripting (XSS)

Affecting dompurify package, versions <0.8.6

medium severity

Overview

DOMPurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to a Cross-site Scripting (XSS) bug in Safari (>= versions 10.1). Specifically, when DOMPurify attempts to parse a string like:

<svg onload=alert(document.domain)>

it will result in XSS.

Remediation

Upgrade dompurify to version 0.8.6 or higher.

References

Credit
Unknown
CWE
CWE-79
Snyk ID
npm:dompurify:20170421
Disclosed
21 Apr, 2017
Published
24 Apr, 2017

Do your applications use this vulnerable package?