mXSS: The Vulnerability Hiding in Your Code

Cross-site scripting (XSS) is a common vulnerability where an attacker injects malicious JavaScript code into a vulnerable web page. The impact of XSS attacks varies from no business impact to account takeover, data leakage, or even remote code execution. Recent years have seen the rise of mutation class XSS, which can bypass sanitizers like DOMPurify and Google Caja. Mutation Cross-Site Scripting (mXSS) takes advantage of HTML's tolerance for broken markup and its various parsing modes to evade sanitization. Understanding the intricacies of HTML parsing is crucial in addressing mXSS vulnerabilities. Different content parsing types, foreign content elements, namespace confusion techniques, and desanitization are some factors that contribute to mXSS attacks. Developers can mitigate these risks by sanitizing client-side, not re-parsing sanitized content, always encoding or deleting raw content, and supporting sanitizing foreign elements with parent namespace checks. The future of addressing mXSS lies in the development of built-in sanitizers in browsers like the Sanitizer API initiative and updates to HTML specifications.