GHSA-39q2-94rc-95cp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-39q2-94rc-95cp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-39q2-94rc-95cp/GHSA-39q2-94rc-95cp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-39q2-94rc-95cp
- Downstream
- Related
- Published
- 2026-04-16T00:46:35Z
- Modified
- 2026-04-16T23:29:14.344521774Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
- Details
-
Summary
In
src/purify.ts:1117-1123,ADD_TAGSas a function (viaEXTRA_ELEMENT_HANDLING.tagCheck) bypassesFORBID_TAGSdue to short-circuit evaluation.The condition:
!(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])When
tagCheck(tagName)returnstrue, the entire condition isfalseand the element is kept —FORBID_TAGS[tagName]is never evaluated.Inconsistency
This contradicts the attribute-side pattern at line 1214 where
FORBID_ATTRexplicitly wins first:if (FORBID_ATTR[lcName]) { continue; }For tags, FORBID should also take precedence over ADD.
Impact
Applications using both
ADD_TAGSas a function andFORBID_TAGSsimultaneously get unexpected behavior — forbidden tags are allowed through. Config-dependent but a genuine logic inconsistency.Suggested Fix
Check
FORBID_TAGSbeforetagCheck:if (FORBID_TAGS[tagName]) { /* remove */ } else if (tagCheck(tagName) || ALLOWED_TAGS[tagName]) { /* keep */ }Affected Version
v3.3.3 (commit 883ac15)
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "nvd_published_at": null, "github_reviewed_at": "2026-04-16T00:46:35Z", "cwe_ids": [ "CWE-783" ] }- References
Affected packages
npm / dompurify
Package
- Name
- dompurify
- View open source insights on deps.dev
- Purl
- pkg:npm/dompurify