[DOMPurify Security] New Release Versions 2.5.2 & 3.1.2 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Tue Apr 30 10:47:30 CEST 2024
*Intro*
New versions of DOMPurify were released today: DOMPurify 2.5.2 & 3.1.2
*Background*
It has been discovered that crafted HTML using a clobbering technique
can bypass the protections added in DOMPurify 2.5.1 and 3.1.1. A bypass
using unusual SVG HTML integration points has also been discovered.
The problems were reported and fixed in collaboration with @kevin-mizu
and Adam Kues of Assetnote.
*Fix*
DOMPurify now protects the affected property against DOM clobbering and
further restricts which HTML integration points can be used in SVG by
default. Both attacks are now prevented and can no longer be used to
bypass DOMPurify.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.5.2
https://github.com/cure53/DOMPurify/releases/tag/3.1.2
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20240430/21ef527e/attachment.sig>
More information about the DOMPurify-Security
mailing list