CVE-2020-26870
npm/dompurify
Cross-site Scripting
Cure53 DOMPurify allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
All versions before 2.0.17
Upgrade to version 2.0.17 or above.
2020-10-19
source |