dompurify
js · dompurifyHeads-up
DOMPurify IN_PLACE sanitization fails for foreign-realm nodes (XSS)
DOMPurify.sanitize(node, { IN_PLACE: true }) fails to sanitize foreign-realm DOM nodes because internal instanceof checks are real
16 Jun 2026 · schedule it
js · dompurifyHeads-up
DOMPurify IN_PLACE bypass via spoofed nodeName on live DOM nodes
DOMPurify.sanitize(root, { IN_PLACE: true }) on attacker-supplied live DOM nodes trusts currentNode.nodeName for non-form nodes, a
16 Jun 2026 · schedule it
js · dompurifyHeads-up
DOMPurify fails to sanitize <template> with shadow DOM, XSS bypass
DOMPurify fails to sanitize content inside <template> elements that contain shadow DOM, allowing XSS payloads to bypass sanitizati
16 Jun 2026 · schedule it
js · dompurifyHeads-up
DOMPurify: Reused instance can retain stale TRUSTED_TYPES_POLICY after clearConfig()
A DOMPurify instance reused across trust boundaries can retain a previously supplied TRUSTED_TYPES_POLICY even after clearConfig()
16 Jun 2026 · schedule it