AIKIDO-2026-10954
dompurify is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
This Affects:
dompurifyTL;DR
With IN_PLACE: true, DOMPurify sanitizes live DOM subtrees instead of parsed strings. When input contains a template element whose inert .content holds an element with an attached open shadow root, the sanitizer previously walked template content but did not recurse into nested attached shadow trees inside that fragment. Malicious markup inside the shadow root, such as img elements with onerror handlers or javascript: links, therefore survived sanitization. Cloning or inserting the template later activates the payload and enables cross-site scripting. The patch explicitly sanitizes attached shadow roots encountered while iterating template content and descends into template .content during attached-shadow walks.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
dompurify is vulnerable to Cross-Site Scripting (XSS) in versions 0.0.1 - 3.4.5.
How to fix this
Upgrade the dompurify library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant