dompurify Security Advisories - Npm | Ecosyste.ms: Advisories

dompurify

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It runs as JavaScript and works in all modern browsers, as well as in Node.js (via jsdom). DOMPurify is written by security people who have vast background in web a

View on github.com · View on npmjs.org

Security Advisories for dompurify in npm

Low

1 day ago

DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output GSA_kwCzR0hTQS12eHI4LWZxMzQtdnZ4Oc4ABYsI

npm dompurify

Low

1 day ago

DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes GSA_kwCzR0hTQS1ndm1qLWcyNXItcjd3cs4ABYr6

npm dompurify

Moderate

1 day ago

DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content GSA_kwCzR0hTQS1ycDl3LTNmdzctN2N3cc4ABYr5

npm dompurify

Low

1 day ago

DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects GSA_kwCzR0hTQS14NHZ4LXJqdmYtajVwNM4ABYr4

npm dompurify

Moderate

1 day ago

DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR` GSA_kwCzR0hTQS03Nm1jLWY0NTItY3hjbc4ABYr3

npm dompurify

Moderate

1 day ago

DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks GSA_kwCzR0hTQS1ocGN2LTk2d2ctN3ZqOM4ABYr2

npm dompurify

Moderate

1 day ago

DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM GSA_kwCzR0hTQS1yNDdnLWZ2aHItaDY3Ns4ABYr1

npm dompurify

High

16 days ago

DOMPurify XSS via selectedcontent re-clone GSA_kwCzR0hTQS04N3hnLXB4eDItN2h2eM4ABX4O

npm dompurify

Moderate

about 2 months ago

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) GSA_kwCzR0hTQS1oN213LWdwdnIteHE0bc4ABVoP

npm dompurify

Moderate

about 2 months ago

DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode GSA_kwCzR0hTQS1jcnY1LTl2d3ctcTNnOM4ABVoO

npm dompurify

Moderate

about 2 months ago

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback GSA_kwCzR0hTQS12OWpyLXJnNTMtOXBncM4ABVoN

npm dompurify

Moderate

2 months ago

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation GSA_kwCzR0hTQS0zOXEyLTk0cmMtOTVjcM4ABVWZ

npm dompurify

Moderate

3 months ago

DOMPurify ADD_ATTR predicate skips URI validation GSA_kwCzR0hTQS1jam1tLWY0amMtcXc4cs4ABUrA

npm dompurify

Moderate

3 months ago

DOMPurify USE_PROFILES prototype pollution allows event handlers GSA_kwCzR0hTQS1jajYzLWpoaHItd2N4ds4ABUq_

npm dompurify

Moderate

3 months ago

DOMPurify is vulnerable to mutation-XSS via Re-Contextualization GSA_kwCzR0hTQS1oOHI4LXdjY3ItdjVmMs4ABUZm

npm dompurify

Moderate

4 months ago

DOMPurify contains a Cross-site Scripting vulnerability GSA_kwCzR0hTQS12OGptLTV2d3gtY2Z4bc4ABTDE

npm dompurify

Moderate

4 months ago

DOMPurify contains a Cross-site Scripting vulnerability GSA_kwCzR0hTQS12MndqLTd3cHEtYzh2ds4ABTDL

npm dompurify

Moderate

over 1 year ago

DOMPurify allows Cross-site Scripting (XSS) GSA_kwCzR0hTQS12aHhmLTd2cXItbXJqZ84ABEeY

npm dompurify

Critical

over 1 year ago

DOMPurify vulnerable to tampering by prototype polution GSA_kwCzR0hTQS1wM3ZmLXY4cWMtY3djcs4ABA13

npm dompurify

Potential

High

over 1 year ago

Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify GSA_kwCzR0hTQS1tNGdxLXgyNGotanBtZs4ABAkl

npm mermaid

High

over 1 year ago

DOMpurify has a nesting-based mXSS GSA_kwCzR0hTQS1neDltLXdoam0tODVqZs4ABANT

npm dompurify

High

over 1 year ago

DOMPurify allows tampering by prototype pollution GSA_kwCzR0hTQS1tbWh4LWhtanItcjY3NM4AA_kd

npm dompurify

Moderate

over 2 years ago

DOMPurify Open Redirect vulnerability GSA_kwCzR0hTQS04aGdnLXh4bTUtMzg3M84AA3ID

npm dompurify

Repackage

Moderate

over 3 years ago

dompurify vulnerable to Cross-site Scripting GSA_kwCzR0hTQS1oNnAzLXA0dngtd3I4cc4AAw6h

pypi dompurify

Repackage

Moderate

over 3 years ago

dompurify vulnerable to Cross-site Scripting GSA_kwCzR0hTQS1wZ2p2LWpyZzItZ3Ezds4AAw6g

pypi dompurify

Moderate

over 5 years ago

Cross-site Scripting in dompurify MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTYzcTctaDg5NS1tOTgy

npm dompurify

Critical

almost 6 years ago

Cross-Site Scripting in dompurify MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1qanEtYzg4cS1xaHI2

npm dompurify

Moderate

almost 6 years ago

Cross-Site Scripting in dompurify MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNocWotajRmaC1ydzdt

npm dompurify

Filter by Severity

Moderate 19 High 4 Low 3 Critical 2

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

dompurify

DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output GSA_kwCzR0hTQS12eHI4LWZxMzQtdnZ4Oc4ABYsI

DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes GSA_kwCzR0hTQS1ndm1qLWcyNXItcjd3cs4ABYr6

DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content GSA_kwCzR0hTQS1ycDl3LTNmdzctN2N3cc4ABYr5

DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects GSA_kwCzR0hTQS14NHZ4LXJqdmYtajVwNM4ABYr4

DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR` GSA_kwCzR0hTQS03Nm1jLWY0NTItY3hjbc4ABYr3

DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks GSA_kwCzR0hTQS1ocGN2LTk2d2ctN3ZqOM4ABYr2

DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM GSA_kwCzR0hTQS1yNDdnLWZ2aHItaDY3Ns4ABYr1

DOMPurify XSS via selectedcontent re-clone GSA_kwCzR0hTQS04N3hnLXB4eDItN2h2eM4ABX4O

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) GSA_kwCzR0hTQS1oN213LWdwdnIteHE0bc4ABVoP

DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode GSA_kwCzR0hTQS1jcnY1LTl2d3ctcTNnOM4ABVoO

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback GSA_kwCzR0hTQS12OWpyLXJnNTMtOXBncM4ABVoN

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation GSA_kwCzR0hTQS0zOXEyLTk0cmMtOTVjcM4ABVWZ

DOMPurify ADD_ATTR predicate skips URI validation GSA_kwCzR0hTQS1jam1tLWY0amMtcXc4cs4ABUrA

DOMPurify USE_PROFILES prototype pollution allows event handlers GSA_kwCzR0hTQS1jajYzLWpoaHItd2N4ds4ABUq_

DOMPurify is vulnerable to mutation-XSS via Re-Contextualization GSA_kwCzR0hTQS1oOHI4LXdjY3ItdjVmMs4ABUZm

DOMPurify contains a Cross-site Scripting vulnerability GSA_kwCzR0hTQS12OGptLTV2d3gtY2Z4bc4ABTDE

DOMPurify contains a Cross-site Scripting vulnerability GSA_kwCzR0hTQS12MndqLTd3cHEtYzh2ds4ABTDL

DOMPurify allows Cross-site Scripting (XSS) GSA_kwCzR0hTQS12aHhmLTd2cXItbXJqZ84ABEeY

DOMPurify vulnerable to tampering by prototype polution GSA_kwCzR0hTQS1wM3ZmLXY4cWMtY3djcs4ABA13

Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify GSA_kwCzR0hTQS1tNGdxLXgyNGotanBtZs4ABAkl

DOMpurify has a nesting-based mXSS GSA_kwCzR0hTQS1neDltLXdoam0tODVqZs4ABANT

DOMPurify allows tampering by prototype pollution GSA_kwCzR0hTQS1tbWh4LWhtanItcjY3NM4AA_kd

DOMPurify Open Redirect vulnerability GSA_kwCzR0hTQS04aGdnLXh4bTUtMzg3M84AA3ID

dompurify vulnerable to Cross-site Scripting GSA_kwCzR0hTQS1oNnAzLXA0dngtd3I4cc4AAw6h

dompurify vulnerable to Cross-site Scripting GSA_kwCzR0hTQS1wZ2p2LWpyZzItZ3Ezds4AAw6g

Cross-site Scripting in dompurify MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTYzcTctaDg5NS1tOTgy

Cross-Site Scripting in dompurify MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1qanEtYzg4cS1xaHI2

Cross-Site Scripting in dompurify MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNocWotajRmaC1ydzdt

Filter by Severity