Cure53 🏳️‍🌈

Allow ADD_ATTR and ADD_TAGS to accept a function by nelstrom · Pull Request #1150 · cure53/DOMPurify Summary This PR addresses issue #1149 by allowing ADD_ATTR to accept a function for tag-specific attribute validation. Background & Context Currently, ADD_ATTR only accepts a string array, crea...

DOMPurify 3.3.0 will soon be released, with this likely being the most important change in a long time:

https://github.com/cure53/DOMPurify/pull/1150

DOMPurify – Fast & Secure XSS Sanitizer for HTML DOMPurify is a powerful and widely adopted JavaScript library designed to sanitize HTML, SVG, and MathML content on the client side.

How do you like our new website we learned about just today?

https://dompurify.com/

Please make sure to run dompurify.exe on Windows 11 for best possible experience and Full HD.

Release DOMPurify 3.2.7 · cure53/DOMPurify Added new attributes and elements to default allow-list, thanks @elrion018 Added tagName parameter to custom element attributeNameCheck, thanks @nelstrom Added better check for animated href attrib...

DOMPurify 3.2.7 has been released today, adding several fixes and improvements.

https://github.com/cure53/DOMPurify/releases/tag/3.2.7

Thanks to all folks who contributed 💕

A stuffed doll of Jean-Luc Picard, captain of the starship Enterprise in the television program Star Trek: The Next Generation, sits on a shelf in a used goods store right next to a packaged of LED lights. The picture on the front of the box show four lights while the written advertising on the box says there are FIVE lights in the package.

Somebody on the internet is very good at subtle humor.

#StarTrekTNG
#Humor

In the last five years, we've gone from "employees will never have to go into an office" to "employees need to be in the office because creative and innovative work can only be done face-to-face between humans" to "lol we don't need humans"

libxslt project maintainer steps down, citing the amount of time it takes to triage embargoed security issues.

“I’ve been doing this long enough to know that most of the secrecy around security issues is just theater. All the ‘best practices’ like OpenSSF Scorecards are just an attempt by big […]

From a pure penetration testing perspective, ZUGFeRD has been such a gift in 2025... thank you so much, German government 😅

@publicvoit If we did that for DOMPurify and HTML, we'd be doing nothing else but populate that list all day long 😅

Escape "<" and ">" when serializing attribute values · whatwg/html@e21bd3b Avoid a class of XSS attacks where markup goes through a lossy parse-serialize-parse roundtrip and the original attribute value is parsed in the data state. This reverts 4eeb8a1706c9545d5aedb5d569...

Remember this tiny change to the HTML spec?

It just prevented a critical bug in an application we are currently testing.

https://github.com/whatwg/html/commit/e21bd3b4a94bfdbc23d863128e0b207be9821a0f

❤️ cc @freddy @securitymb

Escape "<" and ">" when serializing attribute values · whatwg/html@e21bd3b Avoid a class of XSS attacks where markup goes through a lossy parse-serialize-parse roundtrip and the original attribute value is parsed in the data state. This reverts 4eeb8a1706c9545d5aedb5d569...

Small change to HTML with massive impact on eliminating mXSS attacks

https://github.com/whatwg/html/commit/e21bd3b4a94bfdbc23d863128e0b207be9821a0f

Release DOMPurify 3.2.6 · cure53/DOMPurify Fixed several typos and removed clutter from our documentation, thanks @Rotzbua Added matrix: as an allowed URI scheme, thanks @kleinesfilmroellchen Added better config hardening against prototype ...

DOMPurify 3.2.6 has been release with several smaller fixes and improvements, thanks to all who contributed 💕

https://github.com/cure53/DOMPurify/releases/tag/3.2.6

Hopefully this will also help with the CI/CD issues that arose after the fake CVE was posted last week.

Detecting malicious Unicode In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts. In a later presentation, he could show us how not a single human reviewer in the team nor any CI job had spotted or remarked on one of the changes he included: he replaced an ASCII letter with a Unicode alternative in a URL. This was an eye-opener to several of us and we decided we needed to up our game. We are the curl project. We can do better. ## GitHub The replacement symbol looked identical to the ASCII version so it was not possible to visually spot this, but the diff viewer knows there is a difference. In this GitHub website screenshot below I reproduced a similar case. The right-side version has the Latin letter ‘g’ replaced with the Armenian letter co. They appear to be the same. GitHub shows a diff. But what is actually the difference? The diff viewer says there is a difference but as a human it isn’t possible to detect what it is. Is it a flaw? Does it matter? If done “correctly”, it would be done together with a _real_ and expected fix. The impact of changing one or more letters in a URL can of course be devastating depending on conditions. When I flagged about this rather big omission to GitHub people, I got barely no responses at all and I get the feeling the impact of this flaw is not understood and acknowledged. Or perhaps they are all just too busy implementing the next AI feature we don’t want. ## Warnings When we discussed this problem on Mastodon earlier this week, Viktor Szakats provided me with an example screenshot of doing a similar stunt with Gitea which quite helpfully highlights that there is something special about the replacement: Gitea warns that the replacement is using “ambiguous Unicode characters” I have been told that some of the other source code hosting services also show similar warnings. As a user, I would actually like to know even more than this, but at least this warns about the proposed change clearly enough so that if this happens I would get the code manually and investigate before accepting such a change. ## Detect While we wait for GitHub to wake up and react (which I have no expectation will actually happen anytime soon), we have implemented checks to help us poor humans spot things like this. _To detect malicious Unicode._ We have added a CI job that scans all files and validates every UTF-8 sequence in the git repository. In the curl git repository most files and most content are plain old ASCII so we can “easily” whitelist a small set of UTF-8 sequences and some specific files, the rest of the files are simply not allowed to use UTF-8 at all as they will then fail the CI job and turn up red. In order to drive this change home, we went through all the test files in the curl repository and made sure that all the UTF-8 occurrences were instead replaced by other kind of escape sequences and similar. Some of them were also used more or less by mistake and could easily be replaced by their ASCII counterparts. The next time someone tries this stunt on us it could be someone with less good intentions, but now ideally our CI will tell us. ## Confusables There are plenty of tools to find similar-looking characters in different Unicode sets. One of them is provided by the Unicode consortium themselves: https://util.unicode.org/UnicodeJsps/confusables.jsp ## Reactive This was yet another security-related fix _reacting_ on a demonstrated problem. I am sure there are plenty more problems which we have not yet thought about nor been shown and therefore we do not have adequate means to detect and act on automatically. We want and strive to be proactive and tighten everything _before_ malicious people exploit some weakness somewhere but security remains this never-ending race where we can only do the best we can and while _the other side_ is working in silence and might at some future point attack us in new creative ways we had not anticipated. That future unknown attack is a tricky thing.

Detecting malicious Unicode in #curl

https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/

The advisory has been revoked, thanks folks over at Snyk for being super fast and responsive 😄 ❤️

@bagder No worries and thanks nevertheless 🙇

@bagder That is true indeed.

Also, sorry for summoning you, we hoped you might per change know of a quick path to escalate this to Snyk so we can have that CVE be reviewed.

Right now trying learn how, as this is a first for us.

cc @bagder who likely already has experience with this kind of bug report 😅

Snyk Vulnerability Database | Snyk High severity (7.8) Directory Traversal in dompurify | CVE-2025-48050

Sadly, someone dropped a nonsense CVE on DOMPurify and now people are panicking and send us emails asking when the "fix" will be released.

https://security.snyk.io/vuln/SNYK-JS-DOMPURIFY-10176060

Does anyone here has a personal contact at Snyk who might be able to help with getting rid of this?

Two penguins, one is well visible, the other one... almost visible too!

Scientists recently visualized it, can you finally see how insecure Linux really is?

Just use Windows and set AI=On and all this will go away #securitytips #youarewelcome

Release DOMPurify 3.2.5 · cure53/DOMPurify Added a check to the mXSS detection regex to be more strict, thanks @masatokinugawa Added ESM type imports in source, removes patch function, thanks @donmccurdy Added script to verify various TypeS...

DOMPurify 3.2.5 has been released, adding several fixes and improvements.

https://github.com/cure53/DOMPurify/releases/tag/3.2.5

Thanks to all folks who contributed 💕

DOMPurify 3.2.4 has been released, adding some smaller fixes and convenience features...

And, also fixing a conditional, config-depended and very smart bypass - related to the SAFE_FOR_TEMPLATES mode, thanks @nsysean 😍

https://github.com/cure53/DOMPurify/releases/tag/3.2.4

If you don't use […]