DOMpurify allows tampering by prototype pollution

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

14.12k stars 733 forks source link

DOMpurify allows tampering by prototype pollution #994

Closed Codename-404 closed 2 months ago

Codename-404 commented 2 months ago

This issue proposes a security concern

Background & Context

Today we received an email from github that, DOMpurify allows tampering by prototype pollution. Can we expect a solution to this soon?

Expected output

Not to have a security vulnerability

luka-papez commented 2 months ago

The issue has already been fixed, you just need to update to one of the versions containing the fix.

Please see the security advisory published here:

https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674

Note: I am not affiliated with the maintainers in any way, I was just passing by because I had a security scan fail on my pipeline (just like you probably).

I can confirm that bumping the version clears the security scan.

Thank you maintainers for your hard work!