DOMPurify IN_PLACE sanitization fails for foreign-realm nodes (XSS)
DOMPurify.sanitize(node, { IN_PLACE: true }) fails to sanitize foreign-realm DOM nodes because internal instanceof checks are realm-bound, allowing XSS via clob
What changed
DOMPurify.sanitize(node, { IN_PLACE: true }) fails to sanitize foreign-realm DOM nodes because internal instanceof checks are realm-bound, allowing XSS via clobbered form attributes, template content, and shadow roots.
Who it affects
Applications that parse untrusted DOM in a same-origin iframe (or other realm) and then sanitize it with DOMPurify.sanitize(node, { IN_PLACE: true }) using a parent-realm DOMPurify instance. Versions ≤ 3.4.5 and current main are affected.
What to do today
Upgrade to a patched version once available, or avoid using IN_PLACE sanitization with foreign-realm nodes. As a workaround, ensure the input node belongs to the same realm as the DOMPurify instance.