Skip to content

Fix prototype pollution in removeAttributeNS #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 6, 2025
Merged

Fix prototype pollution in removeAttributeNS #55

merged 2 commits into from
Nov 6, 2025

Conversation

@jameswassink
Copy link
Contributor

@jameswassink jameswassink commented Oct 2, 2025

This should prevent the prototype pollution vulnerability raised in #54

@jameswassink jameswassink mentioned this pull request Oct 2, 2025
Open
@danrossi danrossi mentioned this pull request Oct 3, 2025
Open
jfrej
jfrej reviewed Oct 3, 2025
View reviewed changes
dom-element.js Outdated
DOMElement.prototype.removeAttributeNS =
function _Element_removeAttributeNS(namespace, name) {
var forbiddenKeys = ['__proto__', 'constructor', 'prototype'];
if (forbiddenKeys.includes(name)) {
Copy link

@jfrej jfrej Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would name being any of these keys lead to a prototype pollution?

name is only used in delete attributes[name] below.
I don't think you can pollute the prototype using delete and you can't delete the prototype or constructor either.

skoilakonda
skoilakonda reviewed Oct 3, 2025
View reviewed changes
dom-element.js Outdated
Comment on lines 135 to 137
var attributes = this._attributes[namespace];
if (attributes) {
delete attributes[name]
Copy link

@skoilakonda skoilakonda Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

// Safely access and delete the attribute
const attributes = this._attributes?.[namespace];
if (attributes && Object.prototype.hasOwnProperty.call(attributes, name)) {
    delete attributes[name];
}

Copy link
Contributor Author

@jameswassink jameswassink Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, this makes more sense. I've updated the code.

@nekyouto
Copy link

nekyouto commented Oct 22, 2025

Will there be a new release in npm to rectify this issue? I'm getting this being flagged out when I conduct a OWASP scan.

Looking forward to your inputs.

@danrossi
Copy link

danrossi commented Oct 31, 2025

Is it possible to merge this and make a release. As it's failing audits for many packages including video.js

@patmmccann
Copy link

patmmccann commented Oct 31, 2025

@danrossi the library maintainer indicated it will not be released #54 (comment)

@Raynos Raynos merged commit fe32e8d into Raynos:master Nov 6, 2025
@wasabina67 wasabina67 mentioned this pull request Nov 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Raynos Raynos Raynos approved these changes

+5 more reviewers

@jfrej jfrej jfrej left review comments

@skoilakonda skoilakonda skoilakonda left review comments

@karthikeyar9 karthikeyar9 karthikeyar9 approved these changes

@gkonuralp gkonuralp gkonuralp approved these changes

@abhijeetJaisw abhijeetJaisw abhijeetJaisw approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@jameswassink @nekyouto @danrossi @patmmccann @Raynos @karthikeyar9 @jfrej @gkonuralp @skoilakonda @abhijeetJaisw