DOMPurify 3.2.6 Security Flaw: Predicate Function Bypass Allows JavaScript Execution

A critical bypass in the DOMPurify sanitization library allows malicious JavaScript to slip through security checks, posing a direct threat to web applications relying on it for user input sanitization. The vulnerability, tracked as GHSA-cjmm-f4jc-qw8r, stems from a flaw in how the library handles custom attribute validation predicates. Specifically, when an `ADD_ATTR` rule is defined as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`, the internal `_isValidAttribute` function short-circuits and skips the crucial URI-safe validation step if the predicate returns `true`. This creates a dangerous loophole where otherwise blocked protocols, like `javascript:`, can pass through undetected.

The proof-of-concept demonstrates the exploit's effectiveness: an attacker can craft a predicate that accepts the `href` attribute for `<a>` (anchor) tags. A malicious payload like `<a href="javascript:alert(document.domain)">` is then incorrectly sanitized. The `javascript:` URL survives because URI validation is bypassed for that specific attribute, while all other standard DOMPurify checks still pass. The PoC further shows the sanitized payload can be triggered via a simulated click inside an iframe, confirming successful code execution.

The impact is significant for any application using predicate-based allowlisting with DOMPurify versions prior to 3.3.2. This bypass undermines the core security promise of the library, potentially leading to cross-site scripting (XSS) attacks where untrusted user input is rendered. The fix is available in DOMPurify version 3.3.2. Developers must immediately upgrade to this patched version to close the security gap and prevent exploitation of this predicate validation flaw.