DOMPurify FORBID_TAGS Bypass Vulnerability in Versions Prior to 3.4.0

A vulnerability exists in DOMPurify, a sanitizer for HTML, MathML, and SVG, in versions prior to 3.4.0. The issue arises from an inconsistency in how FORBID_TAGS and FORBID_ATTR are handled when function-based ADD_TAGS is used. Forbidden tags can survive the sanitization process with their attributes intact, allowing for potential injection of malicious content, such as external URLs, through certain HTML elements.

Impact

Exploitation of this vulnerability allows forbidden HTML elements, such as iframes and forms, to bypass sanitization, potentially leading to the injection of malicious content or URLs.

Reproduction

The vulnerability can be reproduced by using DOMPurify's sanitize function with a configuration that includes a function-based ADD_TAGS option. When a forbidden tag, such as 'iframe' or 'form', is specified in the FORBID_TAGS option, the sanitizer incorrectly allows the tag to pass through with its attributes intact. This can be verified by checking the returned sanitized output, which will still contain the forbidden elements and their attributes, contrary to the expected behavior.

Remediation

Users can upgrade to DOMPurify version 3.4.0 or later, where this vulnerability has been patched.