DOMPurify 3.2.6 mXSS Flaw: Sanitized HTML Can Mutate to Execute JavaScript

A critical mutation-XSS (mXSS) vulnerability has been confirmed in DOMPurify versions prior to 3.3.2. The flaw allows seemingly sanitized HTML to transform into executable JavaScript when reinserted into a new parsing context, specifically within special wrapper elements. This bypasses the library's core security function, enabling client-side script execution from previously "cleaned" input.

The vulnerability exploits a context-switching issue. HTML that passes through `DOMPurify.sanitize()` appears benign but mutates during a second parse when placed inside wrappers like `<script>`, `<xmp>`, `<iframe>`, `<noembed>`, `<noframes>`, or `<noscript>`. In proof-of-concept demonstrations, this mutation creates an event handler that executes `alert(1)`. The root cause is that the sanitized output is treated as trusted and concatenated into a wrapper string before being reparsed by the browser's innerHTML, where the mutation occurs.

This mXSS condition poses a direct risk to any application using the affected DOMPurify versions for client-side sanitization before injecting content via `innerHTML`. The flaw undermines a fundamental security control for web applications handling user-generated content, forums, or rich-text editors. While patched in version 3.3.2, the vulnerability's medium severity rating indicates a significant exploitation window for unpatched systems, requiring immediate dependency updates to mitigate the risk of client-side code injection.