GHSA-39q2-94rc-95cp: DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

April 16, 2026

In src/purify.ts:1117-1123, ADD_TAGS as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) bypasses FORBID_TAGS due to short-circuit evaluation.

The condition:

!(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])

When tagCheck(tagName) returns true, the entire condition is false and the element is kept — FORBID_TAGS[tagName] is never evaluated.

References

github.com/advisories/GHSA-39q2-94rc-95cp
github.com/cure53/DOMPurify
github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp

Code Behaviors & Features

Detect and mitigate GHSA-39q2-94rc-95cp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →