Here is a bypass fixed in DOMPurify 3.1.7. It works only if special settings are used. Notice why the comment is closed with "->".

✅ Built a blogging platform from scratch!. 🛠️ Tech Stack: EJS (HTML, CSS), Node.js, MongoDB. 🎯 Features: Create, Edit, Delete Articles. 🔐 Safe & Secure using DOMPurify + JSDOM. 🔗 #TechProjects #WebDev #CodingCommunity

I'm thrilled to finally share my research on HTML parsing and DOMPurify at @GreHack 2024 📜. The research article is available here: The slides are available here: 1/3

最近脆弱性診断をやっていて、変なXSS対策を目にするのですが、ひょっとして生成AIの悪影響かなという気がします。ChatGPTは、XSSを指摘すると、やたらDOMPurifyを使いたがるのです。下記の例だと、エスケープではなく、タグを除去する結果となります。模範的な対策ではありません。

Google fixed the Referrer Policy override technique in under 10 days. During that window, I found the latest version of DOMPurify on a public HackerOne program, used the trick to demonstrate impact and exploit the OAuth flow, and earned a ~$4K bounty :D

CSS Data Exfiltration leads to Account Takeover (2x$4850 in two different routes). the input was placed in DOMPurify (last ver) protected area, we (@AmirMSafari) used <style> tag to leak OAuth token with a sandbox in page. we will publish a detailed writeup tomorrow night :]

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks.

🧵 [1/4] Here is our DOMPurify 3.2.1 bypass, using a namespace confusion technique where each element is initially in a “correct” namespace. When it was allowed, the ‘is’ attribute was not handled correctly, making the attribute content’s regex check obsolete. #mXSS #XSS

Bug Bounty 101 - Identifying DOMPurify in Blind Scenarios

A trivial bypass was fixed in DOMPurify 3.2.5 (. It works only if an attacker can write "-->". DOMPurify usually tries to prevent you from writing "-->" on attributes, but it can be written through DOMPurify hooks in some cases, for example. PoC👇.

Playing with DOMPurify’s Text Output

MXSS Part 2: Why Client-Side HTML Sanitization is hard. In this video, we dive into Parser Differentials, Namespace Confusion, and the Nesting Depth Limit that led to an XSS on Google and multiple DOMPurify bypasses.

Awesome technique by @slonser_! With this method, you can leak sensitive data using just an 'img' tag, even if the target uses DOMPurify and CSS data exfiltration is not possible

I've seen people crushing it lately with server-side XSS inside a headless browser. It almost always results in RCE or crazy SSRF. But first you need to find XSS, and a lot of time you're running up against a sanitizer - DOMPurify. The latest @ctbbpodcast episode covers how to.

A recent vulnerability, CVE 2024 47875, was discovered in DOMPurify. The good news? The issue has already been patched in versions 2.50, 3.13, and any newer releases. 🛡️ .#dompurify #securityvulnerability #XSS #crosssitescripting #appsec #opensourcesecurity #securecoding

Reproduced DOMPurify 3.1.0 bypass, but my payload requires two mutations. Has anyone managed to trigger it with a single mutation?

Exploring the DOMPurify library: Bypasses and Fixes by @kevin_mizu.#BBRENewsletter84

Playing with DOMPurify’s Text Output. @ctbbpodcast.

isomorphic-dompurify - 1.1M downloads/week 🎉.