[DOMPurify Security] New Release Version 1.0.10 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Tue Feb 19 14:51:48 CET 2019
*Intro*
A new version of DOMPurify was released today: DOMPurify 1.0.10
*Background*
It was discovered that the XSS protection can be bypassed in case a
developer chose to use `ADD_TAGS` or `ALLOWED_TAGS` to additionally
white-list the `noscript` or `noembed` elements.
If that is the case, an attacker can use a specifically nested HTML
construct to confuse the browser and bypass DOMPurify.
Note that the default behavior of DOMPurify is not affected by this issue.
*Fix*
While this is technically a browser quirk, DOMPurify 1.0.10 protects
against this kind of attack by making sure, that any `noscript` or
`noembed` element, even if white-listed, cannot contain risky content.
https://github.com/cure53/DOMPurify/blob/master/src/purify.js#L662
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/1.0.10
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20190219/c8f9ef65/attachment.sig>
More information about the DOMPurify-Security
mailing list