DOMPurify Cross-Site Scripting Vulnerability via Missing Rawtext Elements

A cross-site scripting vulnerability has been identified in DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8. This vulnerability allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements in the SAFE_FOR_XML regex. The unprotected elements are noscript, xmp, noembed, noframes, and iframe. Attackers can inject payloads, such as closing tags followed by an image tag with an event handler, into attribute values. When the sanitized output is placed inside these rawtext contexts, the injected JavaScript is executed.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can execute JavaScript in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use DOMPurify to sanitize HTML that includes attribute values with payloads targeting the missing rawtext elements. For example, an attribute value could be crafted to include a script injection payload, such as an image tag with an 'onerror' event.

Remediation

Users can update to DOMPurify version 3.3.1 or the latest 2.x version to address this vulnerability.