js · dompurifyHeads-up
DOMPurify IN_PLACE bypass via spoofed nodeName on live DOM nodes
DOMPurify.sanitize(root, { IN_PLACE: true }) on attacker-supplied live DOM nodes trusts currentNode.nodeName for non-form nodes, allowing a real <script> child
What changed
DOMPurify.sanitize(root, { IN_PLACE: true }) on attacker-supplied live DOM nodes trusts currentNode.nodeName for non-form nodes, allowing a real <script> child with a spoofed nodeName (e.g., 'DIV') to bypass sanitization and execute when inserted into the document.
Who it affects
Applications using DOMPurify 3.4.6 with IN_PLACE: true on live DOM nodes from same-origin subcontexts (iframes, popups, adopted nodes).
What to do today
Upgrade DOMPurify to a patched version once available, or avoid using IN_PLACE: true on attacker-supplied live DOM nodes until a fix is released.
The trail
Collected→
Audited→
Written→
Published