CVE-2019-16728

Name of the Vulnerable Software and Affected Versions DOMPurify versions prior to 2.0.3 DOMPurify versions prior to 2.0.1

Description The issue allows for Cross-Site Scripting (XSS) due to innerHTML mutation XSS (mXSS) for an SVG element or a MATH element. This can be demonstrated in browsers like Chrome and Safari. The package has an XSS filter bypass due to Mutation XSS through a combination of <svg>/<math> elements and </p>/</br>. An example payload is: <svg></p><style><a id="</style><img src=1 onerror=alert(1)>">, which allows attackers to bypass the XSS protection and execute arbitrary JavaScript in a victim's browser.

Recommendations Upgrade to version 2.0.3 or later. As a temporary workaround, consider disallowing <svg> and <math> tags through dompurify configurations by using DOMPurify.sanitize(input, { FORBID TAGS: ['svg', 'math'] }); to minimize the risk of exploitation.