CVE-2019-16728

Vulnerability

Overview

DOMPurify is an HTML sanitizer library designed to prevent cross-site scripting (XSS) by stripping dangerous content. CVE-2019-16728 describes a mutation XSS (mXSS) flaw in versions prior to 2.0.1. The root cause lies in how the library handles SVG and MATH elements: when the sanitized output is later inserted into the DOM via innerHTML, the browser's parser may reinterpret the markup in a way that re-introduces executable scripts. This mutation behavior is specific to certain browsers, notably Chrome and Safari [1].

Exploitation

Prerequisites

An attacker can exploit this vulnerability by crafting a malicious payload that includes SVG or MATH elements. After DOMPurify processes the input, the resulting HTML appears safe. However, when the application assigns this sanitized string to an element's innerHTML property, the browser's HTML parser mutates the content, causing the originally blocked script to execute. No special network position or authentication is required; the attacker only needs to inject the payload into a page that uses DOMPurify and subsequently inserts the sanitized output into the DOM [1].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's browser. This can lead to theft of sensitive data, session hijacking, defacement, or further attacks against the application and its users. The vulnerability is particularly dangerous because it bypasses the sanitizer's intended protections, making it a critical issue for any application relying on DOMPurify for XSS defense [1].

Mitigation

The vulnerability is fixed in DOMPurify version 2.0.1. Users should upgrade immediately. No workaround is documented; the only reliable mitigation is to apply the patch. Given that the flaw was demonstrated in Chrome and Safari, applications supporting these browsers are especially at risk [1].