Severity: moderate

Cross-Site Scripting

dompurify

Overview

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Remediation

Upgrade to version 2.0.17 or later.

Have content suggestions? Visit npmjs.com/support.

Advisory timeline

  1. published

    Advisory Published
    Dec 18th, 2020
  2. reported

    Reported by Anonymous
    Dec 18th, 2020