Mutation XSS (mXSS) is a cross-site scripting technique that exploits the difference between how HTML sanitizers parse input and how browsers actually render it. The browser's HTML parser mutates the sanitized markup during processing, transforming safe-looking content into executable code.
How It Works
HTML sanitizers work by parsing input, building a DOM tree, removing dangerous elements and attributes, and serializing the clean DOM back to HTML. The vulnerability arises because browsers may re-parse the sanitized output differently than the sanitizer did. During this re-parsing, the browser's mutation algorithms can restructure the HTML in ways that reintroduce the dangerous content the sanitizer removed.
A common mutation involves nested elements and browser error recovery. HTML parsers are designed to be forgiving, automatically fixing malformed markup by rearranging elements, closing unclosed tags, and restructuring nested content. When the sanitizer produces output that the browser's parser restructures, the resulting DOM can differ significantly from what the sanitizer inspected.
For example, certain combinations of elements like <svg>, <math>, and <foreignObject> trigger namespace switches in the parser that change how subsequent content is interpreted. Content that was parsed as inert within an SVG context might be re-parsed as active HTML after a namespace transition. The sanitizer sees safe SVG content; the browser renders executable HTML.
Another mutation vector involves attribute values. Some sanitizers allow certain attributes but do not account for how the browser normalizes attribute values. Backtick characters, HTML entities, and unicode normalization can produce different results between the sanitizer's parsing and the browser's rendering.
Prevention
Use sanitizers that operate on the browser's actual DOM rather than performing string-based sanitization. Libraries that parse HTML using the same algorithm as the browser avoid the parser differential that mXSS exploits. Keeping sanitization libraries updated is critical, as new mutation vectors are regularly discovered. Content Security Policy provides defense in depth by restricting script execution even if mXSS bypasses the sanitizer.
Why It Matters
Mutation XSS bypasses the very defenses designed to prevent cross-site scripting. It targets the sanitizer itself, making it particularly dangerous in applications that rely on HTML sanitization to safely render user content. Understanding mXSS is essential for anyone implementing or testing HTML sanitization logic.
Need your application tested? Get in touch.