DOMPurify Prototype Pollution Vulnerability Leading to Cross-Site Scripting Bypass

A vulnerability exists in DOMPurify, a sanitizer for HTML, MathML, and SVG, specifically in versions 3.0.1 through 3.3.3. This issue allows for a cross-site scripting (XSS) bypass through prototype pollution. When 'DOMPurify.sanitize()' is called with the default settings, a previously exploited prototype pollution can introduce lenient regex values for 'tagNameCheck' and 'attributeNameCheck' into 'Object.prototype'. This manipulation enables DOMPurify to sanitize arbitrary custom elements and attributes, including event handlers. The vulnerability arises because the default configuration does not properly handle custom element processing, allowing polluted prototype values to bypass sanitization controls.

Impact

Exploitation of this vulnerability allows for a prototype pollution-based XSS bypass, where injected event handler attributes on custom HTML elements are not sanitized, leading to the execution of malicious scripts.

Reproduction

To reproduce this vulnerability, first exploit a prototype pollution gadget in the same execution context to inject permissive regex values into 'Object.prototype.tagNameCheck' and 'Object.prototype.attributeNameCheck'. Then, use 'DOMPurify.sanitize()' with the default configuration to sanitize input containing a custom element (such as '<x-x>') with an event handler attribute (like 'onfocus'). The sanitized output will still include the event handler, which can then be executed by injecting the output into the DOM.

Remediation

Users can upgrade to DOMPurify version 3.4.0, which addresses the vulnerability by preventing prototype pollution through the 'CUSTOM_ELEMENT_HANDLING' option. Alternatively, applications can explicitly set 'CUSTOM_ELEMENT_HANDLING' to null or provide specific checks to mitigate the risk.