npm / dompurify

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

Modified: 4/16/2026

Cross-site Scripting in dompurify

Modified: 11/8/2023

DOMPurify Open Redirect vulnerability

Modified: 11/15/2023

Cross-Site Scripting in dompurify

Modified: 11/8/2023

DOMPurify USE_PROFILES prototype pollution allows event handlers

Modified: 5/29/2026

DOMPurify ADD_ATTR predicate skips URI validation

Modified: 5/29/2026

DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode

Modified: 5/5/2026

DOMpurify has a nesting-based mXSS

Modified: 2/4/2026

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

Modified: 5/5/2026

DOMPurify is vulnerable to mutation-XSS via Re-Contextualization

Modified: 4/7/2026

Cross-Site Scripting in dompurify

Modified: 9/29/2021

DOMPurify allows tampering by prototype pollution

Modified: 2/4/2026

DOMPurify vulnerable to tampering by prototype polution

Modified: 11/3/2025

DOMPurify contains a Cross-site Scripting vulnerability

Modified: 3/30/2026

DOMPurify contains a Cross-site Scripting vulnerability

Modified: 3/10/2026

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Modified: 5/5/2026

DOMPurify allows Cross-site Scripting (XSS)

Modified: 2/4/2026