Usage of vulnerable DOMPurify package

Overview

• Rule ID: javascript_third_parties_dom_purify

• Applicable Languages: Javascript

• Weakness ID: CWE-79

Description

For DOMPurify versions prior to 2.0.17, there are XSS vulnerabilities when using the sanitize function without proper configuration.

Remediation Guidelines

• Do upgrade DOMPurify to version 2.0.17 or greater, and specify a secure configuration option.

  Copy

  // either
  DOMPurify.sanitize(htmlToSanitize, { RETURN_DOM_IMPORT:true })
  // or
  DOMPurify.sanitize(htmlToSanitize, { RETURN_DOM_FRAGMENT: true })

References

• Vulnerability explained

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL