Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Recently, there was a bypass in DOMPurify when it's used to sanitize XML documents. Since bugs come in pairs, the author looked and found two more variants of the bug in the codebase. For context, DOMPurify is the go-to method for ensuring that rich text doesn't contain malicious JS.

XML and HTML have different parsing rules. For example, <?xml-stylesheet ><h1>Hello</h1>)"> ?> is parsed as a single node of XML but HTML recognizes an h1 tag.

When encountering a <? in XML, this is part of the spec. However, in HTML, this is processed as a bogus comment. So, there is a mismatch between the HTML and XML parsing.

The Processing Instructions allows us to bypass if the sanitized XML document is later later processed as an HTML document. Is this a normal case? I suppose that this is something that should be reported.

They found a similar issue within the [CDATA[ of an XML portion as well. It seems that different contexts are a common bypass for DOMPurify. So, interesting!