DOMPurify Security Update: Critical mXSS Vulnerability in HTML Sanitizer (GHSA-h8r8-wccr-v5f2)

A critical mutation-XSS (mXSS) vulnerability has been confirmed in the widely-used DOMPurify HTML sanitization library, tracked as GHSA-h8r8-wccr-v5f2. This security flaw allows malicious payloads to bypass sanitization and execute when sanitized HTML is reinserted into a new parsing context using `innerHTML`. The vulnerability is not theoretical; it exploits confirmed browser behavior with specific HTML wrapper elements, creating a scenario where seemingly clean code can become dangerous after processing.

The vulnerability is triggered when sanitized content is placed within specific wrapper elements—`script`, `xmp`, `iframe`, `noembed`, `noframes`, and `noscript`—and then re-parsed by the browser. This mXSS condition means that code which appears benign after initial sanitization can mutate into an active cross-site scripting attack vector upon reinsertion. The issue prompted an automated security update from version 3.0.1 to 3.3.2, as seen in dependency management pull requests, highlighting its severity and the urgency for patches.

This flaw poses a direct risk to any web application relying on DOMPurify for user-input sanitization, a common practice for forums, comment systems, and rich-text editors. The silent nature of the mXSS bypass means attacks could be stealthy and persistent. The rapid, automated closure of related PRs signals that maintainers and security teams are treating this as a high-priority patch, applying pressure on development teams to update dependencies immediately to close this critical security gap.