Mutation XSS (mXSS) Anti-Pattern

Severity: High

Summary

Mutation XSS bypasses HTML sanitizers through inconsistent parsing. Attackers provide HTML appearing safe to sanitizers. When inserted into DOM, browser parsing "corrects" malformed code, creating executable scripts. Sanitizer sees one DOM, browser creates a different, malicious one.

The Anti-Pattern

The anti-pattern is HTML sanitizers ignoring browser's unpredictable parsing. Final browser DOM differs from sanitizer's checked DOM.

BAD Code Example

// VULNERABLE: A simple sanitizer that is unaware of browser mutations.