Introduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, @slonser_ found a bypass in the DOMPurify when it’s used to sanitize XML documents. After taking a look at the patch, I found two more bypasses of XML/HTML confusion, so I’m documenting it here. HTML != XML As @slonser_ wrote in his post, HTML and XML have a bit different parsing rules. For example, the following text is parsed as a single node in the XML parser, but the HTML parser recogni...
