AIKIDO-2026-10709
dompurify is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
This Affects:
dompurifyTL;DR
When ADD_ATTR is configured as a function predicate, the implementation treated a matching predicate result as its own early branch inside _isValidAttribute, so the control flow never reached the URI checks that normally run for URL-bearing attributes such as href after name approval. Applications that use the predicate to allow those attributes could therefore keep disallowed URI schemes in output that still passes sanitization, enabling DOM-based cross-site scripting when the injected markup is activated. The update folds predicate-based permission into the same name-permitted condition used with built-in allowlists so subsequent URI scheme validation always applies to those attributes.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
dompurify is vulnerable to Cross-Site Scripting (XSS) in versions 3.3.0 - 3.4.1.
How to fix this
Upgrade the dompurify library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant