DOMPurify Security Flaw: GHSA-39q2-94rc-95cp Bypasses FORBID_TAGS, Prompting Critical v3.4.0 Patch

A critical logic flaw in the widely-used DOMPurify HTML sanitization library has been disclosed, allowing specially crafted tags to bypass security restrictions. The vulnerability, tracked as GHSA-39q2-94rc-95cp, stems from a short-circuit evaluation error in the library's core purification logic. This defect could enable attackers to inject malicious HTML elements that should have been explicitly forbidden, undermining the primary security guarantee of one of the web's most trusted sanitizers.

The flaw is located in `src/purify.ts` at lines 1117-1123, within the `EXTRA_ELEMENT_HANDLING.tagCheck` function. The conditional logic `!(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])` fails when `tagCheck(tagName)` returns `true`. In this scenario, the entire condition short-circuits to false, causing the system to skip the subsequent check against the `FORBID_TAGS` list. This means a tag approved by a custom `tagCheck` function is never validated against the global forbidden tags, creating a direct bypass vector.

The maintainers at Cure53 have released DOMPurify version 3.4.0 to remediate this issue. The patch corrects the evaluation order to ensure `FORBID_TAGS` are always enforced. This vulnerability highlights the inherent risks in complex conditional security logic and places immediate pressure on thousands of downstream applications, packages, and services that depend on DOMPurify to prevent cross-site scripting (XSS) attacks. Organizations must prioritize applying this update, as the library is a foundational security component for web applications handling user-generated content.