XSS injection vulnerability

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.67k stars 698 forks source link

XSS injection vulnerability #873

Closed kahoot-karl closed 10 months ago

kahoot-karl commented 10 months ago

XSS injection. Can be reproduced with https://cure53.de/purify

Input

<<a>audio src/onerror=\\\"if(!window.init){alert(localStorage.getItem('token'));window.init=true;}\\\">

Given output

&lt;<a>audio src/onerror=\\\"if(!window.init){alert(localStorage.getItem('token'));window.init=true;}\\\"&gt;</a>

Expected output

Not sure

cure53 commented 10 months ago

I cannot reproduce, sorry. I see no bug here.

kahoot-karl commented 10 months ago

Edit: github stripped some tags, I have changed the formatting

The clean DOM will result in a naked audio tag with javascript code attached to the onerror callback, isn't that a vulnerability?

cure53 commented 10 months ago

There is no actual injection or bypass, you just see harmless text there, as expected.