AIKIDO-2026-10563

dompurify is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE Published Apr 27, 2026

Medium Risk

This Affects:

dompurify

0.4.0 - 3.4.0

Fixed in 3.4.1

Are you affected? Scan for Free

TL;DR

The sanitizer accepted list and object shaped options without fully validating types: addToSet in src/utils.ts now returns immediately when the value is not an array, and src/purify.ts requires arrayIsArray for list config fields, uses isRegex for ALLOWED_URI_REGEXP, and uses own-property checks and cloning for ADD_TAGS, ADD_ATTR, integration point maps, and CUSTOM_ELEMENT_HANDLING so inherited or malformed values cannot widen what is allowed. The walk for IN_PLACE only proceeds when the root’s nodeName is a string, reserved custom element names are matched case-insensitively so annotation-xml style tags cannot evade the basic custom-element path in XHTML-like handling, and SANITIZE_NAMED_PROPS avoids re-prefixing id and name values. Non-node dirty input is stringified with stringifyValue instead of a direct toString path, reducing DOM-adapter and host-object edge cases. Without these changes, a crafted input or mis-typed config could leave active content in output that is later assigned as HTML and executed as cross-site script.