Print to Pwned: The DOM XSS Inside html2pdf.js
Jan 14, 2026·5 min read·4 visits
Executive Summary (TL;DR)
The html2pdf.js library (versions < 0.14.0) attempted to sanitize HTML input by manually removing <script> tags *after* adding them to the DOM. This 'blacklist' approach failed spectacularly because inline event handlers (like onerror) execute immediately upon parsing. The fix involves implementing DOMPurify to whitelist safe HTML before it ever touches the document.
A high-severity Cross-Site Scripting (XSS) vulnerability in the popular html2pdf.js library allows attackers to execute arbitrary JavaScript by injecting malicious HTML strings during PDF generation.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
html2pdf.js eKoopmans | < 0.14.0 | 0.14.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 (Improper Neutralization of Input During Web Page Generation) |
| Attack Vector | Network (Client-Side) |
| CVSS v4.0 | 8.7 (High) |
| Impact | High Confidentiality, High Integrity |
| Exploit Status | PoC Available / Trivial |
| Affected Component | src/utils.js:createElement |
MITRE ATT&CK Mapping
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.