DOMPurify Cross-Site Scripting Vulnerability via Textarea Rawtext Bypass

A cross-site scripting vulnerability has been identified in DOMPurify versions 3.1.3 prior to 3.2.7 and 2.5.3 prior to 2.5.8. This vulnerability allows attackers to bypass attribute sanitization by exploiting inadequate validation of textarea rawtext elements in the SAFE_FOR_XML regular expression. Attackers can inject closing rawtext tags, such as </textarea>, into attribute values, disrupting rawtext contexts and executing JavaScript when the sanitized output is placed inside rawtext elements.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can execute JavaScript in the context of the user.

Reproduction

To reproduce this vulnerability, use a version of DOMPurify that is affected, such as 2.5.3 through 2.5.8 or 3.1.3 through 3.2.6. Sanitize a string that includes a closing textarea tag embedded within an attribute value. The absence of proper validation for textarea rawtext elements in the SAFE_FOR_XML regex allows the injected script to be executed when the sanitized content is placed inside rawtext elements.

Remediation

Users can upgrade to DOMPurify version 3.2.7 or later to address this vulnerability. For those using the 2.x branch, no patch is available.