Severity: moderate

Cross-Site Scripting



Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.


Upgrade to version 2.0.17 or later.

Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    Dec 18th, 2020
  2. reported

    Reported by Anonymous
    Dec 18th, 2020