Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mutation XSS when converting from SVG namespace #482

Closed
bananabr opened this issue Nov 2, 2020 · 3 comments
Closed

Mutation XSS when converting from SVG namespace #482

bananabr opened this issue Nov 2, 2020 · 3 comments

Comments

@bananabr
Copy link

bananabr commented Nov 2, 2020
edited
Loading

Removed content for security reasons. Sorry for not following the proper disclosure guidelines in the first place.
@cure53
Copy link
Owner

cure53 commented Nov 2, 2020

Ooof, maybe email would have been better than a public ticket. Anyway, I deployed a fix:
https://cure53.de/purify

Do you think thus can be bypassed using your technique?

@bananabr
Copy link
Author

bananabr commented Nov 2, 2020
edited
Loading

Sorry, I did not know what the proper channel was to report this. My PoC code does not work anymore with the fix.

@cure53
Copy link
Owner

cure53 commented Nov 2, 2020

Check here please https://github.com/cure53/DOMPurify#what-if-i-find-a-security-bug

Either way, we will do a release now! The vector is beautiful tho, what can I say.

@cure53 cure53 closed this as completed Nov 2, 2020
cure53 added a commit that referenced this issue Nov 2, 2020
@cure53
fix: Fixed a mXSS bypass reported in #482
ee33fae
@charlag charlag mentioned this issue Nov 4, 2020
Closed
This was referenced Mar 14, 2021
Closed
Closed
Closed
Closed
Merged
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cure53 @bananabr