- Security Release Please update!
- Fixed a possible security issue based on a newly spotted Firefox bug (explanation below)
- Replaced
document.implementationbyDOMParser.parseFromString() - Changed location of
purify.jsfrom/to/src - Extended the range of tested browsers on BrowserStack
Details about the Security Issue
Problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=1205631
Attack Scenario:
The bug only manifested itself if the sanitized HTML DOMPurify created would be written to a document using document.write() or alike. Applications, that set the sanitized HTML by using innerHTML or outerHTML are not affected at all. Applications that do not allow SVG are also not affected at all.
The security issue is caused by a non-standard behavior of Gecko (the Firefox browser-engine) and a peculiar way of working with innerHTML-assignments. The following code snippets illustrate the issue:
<script>
// This is SAFE (but shouldn't be!)
document.body.innerHTML='<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'
</script>
<script>
// This is UNSAFE
document.write('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')
</script>
Users who install this latest release are not affected by the bug anymore as DOMPurify fixes around the problem and mitigates the issue by not trusting Gecko's innerHTML implementation any much longer. Instead of the combination of document.implementation and doc.body.outerHTML, DOMPurify is now using the DOMParser feature available in all modern browsers.
This change is expected to be non-breaking, no API changes or other side-effects are expected.
Thanks @mozfreddyb for assisting with this fix.