DOMPurify: Client-Side Protection Against XSS and Markup Injection

  • Mario HeiderichEmail author
  • Christopher Späth
  • Jörg Schwenk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)


To prevent Cross-Site Scripting (XSS) and related attacks, sanitation of untrusted content is usually performed either on the server side, or by client-side filters like XSS Auditor or NoScript. However, modern web applications (including mobile apps) may not be able to rely on these mechanisms any more since untrusted content may pass these filters as ciphertext or may completely be processed within the DOM of the browser/app.

To cope with this problem, XSS sanitation within the Document Object Model (DOM) is required. This poses a novel technical challenge: A DOM-based sanitizer must rely on native JavaScript functions. However, in the DOM, any function or property can be overwritten, through a class of attacks called DOM Clobbering.

We present a two-part solution: First we show how to embed any server or client side filtering technology securely into the DOM. Second, we give an example instantiation of an XSS filter which is highly efficient when implemented in Javascript. Both parts are combined into a working and battle-tested proof-of-concept implementation called DOMPurify.


Cross-Site Scripting JavaScript DOM Clobbering Expression injection Sanitization Webmail encryption 



The research was supported by the German Ministry of research and Education (BMBF) as part of the OpenC3S research project.


  1. 1.
    Johns, M.: Code injection vulnerabilities in web applications - exemplified at cross-site scripting. Ph.D. dissertation, University of Passau, Passau, July 2009Google Scholar
  2. 2.
    Heiderich, M., Frosch, T., Jensen, M., Holz, T.: Crouching tiger - hidden payload: security risks of scalable vector graphics. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 239–250. ACM (2011)Google Scholar
  3. 3.
    Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., Yang, E.Z.: mXSS attacks: attacking well-secured web-applications by using innerHTML mutations. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 777–788. ACM (2013)Google Scholar
  4. 4.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: 23rd IEEE Computer Security Foundations Symposium (CSF) 2010, pp. 290–304. IEEE (2010)Google Scholar
  5. 5.
    Heiderich, M., Späth, C., Schwenk, J.: DOMPurify testset (2017).
  6. 6.
    Heiderich, M., Späth, C., Schwenk, J.: Output of ResembleJS (2017).
  7. 7.
    Ross, D.: IE8 security part IV: the XSS filter - IEBlog - site home - MSDN blogs (2008).
  8. 8.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 91–100. ACM, New York (2010).
  9. 9.
    Zuchlinski, G.: The anatomy of cross site scripting. In: Hitchhiker’s World, vol. 8, November 2003Google Scholar
  10. 10.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Conference on Detection of Intrusions and Malware and Vulnerability Assessment (2008)Google Scholar
  11. 11.
    Gebre, M., Lhee, K., Hong, M.: A robust defense against content-sniffing XSS attacks. In: 2010 6th International Conference on Digital Content, Multimedia Technology and its Applications (IDC), pp. 315–320. IEEE (2010)Google Scholar
  12. 12.
    Saxena, P., Molnar, D., Livshits, B.: SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 601–614. ACM (2011)Google Scholar
  13. 13.
    Gourdin, B., Soman, C., Bojinov, H., Bursztein, E.: Toward secure embedded web interfaces. In: Proceedings of the USENIX Security Symposium (2011)Google Scholar
  14. 14.
    Gundy, M.V., Chen, H.: Noncespaces: using randomization to defeat cross-site scripting attacks. Comput. Secur. 31(4), 612–628 (2012)CrossRefGoogle Scholar
  15. 15.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: NDSS. The Internet Society (2009)Google Scholar
  16. 16.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009, Washington, DC, USA, pp. 331–346. IEEE Computer Society (2009).
  17. 17.
    Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 23rd ACM Conference on Computer and Communications Security, Vienna, Austria (2016)Google Scholar
  18. 18.
    Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A systematic analysis of XSS sanitization in web application frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23822-2_9CrossRefGoogle Scholar
  19. 19.
    Nava, E.V., Lindsay, D.: Abusing Internet Explorer 8’s XSS Filters.
  20. 20.
    Zalewski, M.: Browser Security Handbook, July 2010.
  21. 21.
    Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press (2011)Google Scholar
  22. 22.
    Bug 29278: XSSAuditor bypasses from
  23. 23.
    Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with BEK. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, Berkeley, CA, USA, p. 1. USENIX Association (2011).
  24. 24.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of IEEE Symposium on Security and Privacy (2012)Google Scholar
  25. 25.
    Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, pp. 760–771 (2012)Google Scholar
  26. 26.
    Stone, P.: Pixel perfect timing attacks with HTML5.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Mario Heiderich
    • 1
    Email author
  • Christopher Späth
    • 1
  • Jörg Schwenk
    • 1
  1. 1.Ruhr-University BochumBochumGermany

Personalised recommendations