js · dompurifyHeads-up
DOMPurify fails to sanitize <template> with shadow DOM, XSS bypass
DOMPurify fails to sanitize content inside <template> elements that contain shadow DOM, allowing XSS payloads to bypass sanitization.
What changed
DOMPurify fails to sanitize content inside <template> elements that contain shadow DOM, allowing XSS payloads to bypass sanitization.
Who it affects
Applications using DOMPurify to sanitize HTML that may include <template> elements with shadow DOM.
What to do today
Review your use of DOMPurify and apply any available patches or workarounds to prevent XSS via <template> and shadow DOM.
The trail
Collected→
Audited→
Written→
Published