Mutation XSS (mXSS)

Mutation XSS (mXSS) is an advanced XSS technique that bypasses HTML sanitizers by exploiting differences between how sanitizers parse HTML and how browsers render it. The payload appears harmless to the sanitizer but "mutates" into executable JavaScript when the browser parses the DOM.

How It Works

HTML5 parsing is complex and browsers may rewrite or "fix" malformed HTML in unexpected ways. Attackers craft payloads that pass through sanitizers intact but become dangerous after browser normalization. This often involves exploiting edge cases in nested tags, encoding, or browser-specific parsing behaviors.

Example

A payload that mutates during parsing:

// Input that passes sanitizer
<noscript><p title="</noscript><img src=x onerror=alert(1)>">

// After browser mutation
<noscript><p title="</noscript>
<img src=x onerror=alert(1)>"></p></noscript>

Common Mutation Vectors

• Backticks in attribute values: <img src=`x`onerror=alert(1)>
• Namespace confusion with SVG/MathML
• Noscript/textarea/style parsing differences
• Template tag contents

Prevention

• Use well-maintained sanitizers like DOMPurify (regularly updated)
• Sanitize on the server AND client when possible
• Consider using a strict Content Security Policy
• Test sanitizers against known mXSS payloads

See Also

• DOM-based XSS
• Content Security Policy (CSP)