CVE-2019-16728

Summary: CVE-2019-16728 affects DOMPurify prior to 2.0.1, enabling cross-site scripting via innerHTML mutation XSS (mXSS) in SVG or MATH elements, demonstrated in Chrome and Safari. Affected component: DOMPurify (HTML, MathML, SVG sanitization code). Root cause: improper handling of innerHTML mut...

CVE-2019-16728

Removed by vendor...

Cross-site Scripting (XSS)

dompurify is vulnerable to cross-site scripting vulnerability. It is possible because of a broken logical check in handling both the recent Safari DOMParser XSS and a Firefox mXSS...

Nextcloud: DOMPurify 0.8.9 released

Got the following via the DOMPurify-Security mailing list: Intro A new version of DOMPurify was released today: DOMPurify 0.8.9 Background DOMPurify showed weaknesses when handling both the recent Safari DOMParser XSS and a Firefox mXSS when working with document.write. Caused by a broken logical...

Cross-site Scripting (XSS)

dompurify is vulnerable to cross-site scripting XSS attacks. The attacks are possible because it does not sanitize strings properly. Attackers can launch a XSS via new DOMParser.parseFromString'', 'text/html'; in Safari browser versions 10.1/10.2...