[DOMPurify Security] New Release Version 2.0.1 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Thu Sep 19 11:42:25 CEST 2019
*Intro*
A new version of DOMPurify was released today: DOMPurify 2.0.1
*Background*
It was discovered that Google Chrome and other browsers using the Blink
engine are affected by a novel mXSS bug behavior. This behavior can be
abused successfully to bypass DOMPurify and cause XSS.
The problem relates to a parser misbehavior inside the SVG context that
only exists in Blink as it seems, other browser engines were tested as
well and don't appear to be affected:
https://github.com/cure53/DOMPurify/blob/master/src/purify.js#L536
Credits go to Michał Bentkowski (@securityMB) of Securitum who spotted
the bug in Chrome, turned it into a DOMPurify bypass, reported it and
helped verifying the fix.
*Fix*
DOMPurify now is now aware of this browser issue and changes the
sanitization behavior to be more secure. The fix has been reviewed by
the original finder as well.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.0.1
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20190919/331499ba/attachment.sig>
More information about the DOMPurify-Security
mailing list