DOM Clobbering.

A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining. It belongs to the Application Security category of cybersecurity.

A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining.

DOM clobbering exploits a legacy DOM feature: any HTML element with an `id` or `name` attribute is exposed as a property on `window` (and, for form fields, on its parent form). An attacker who can inject limited HTML — say through a markdown renderer or a relaxed sanitizer — can therefore create variables that override or define globals, even with all script tags blocked. Classic targets include `window.config`, library globals such as `_wpemojiSettings`, and properties a strict CSP otherwise protects. Modern research (Khodayari & Pellegrino, Heyes, and the 2023 attacks on widely used sanitizers like DOMPurify) demonstrated reliable gadget chains turning HTML-only injection into full XSS by hijacking framework lookups (`window.config.url`, `document.currentScript.src`). Defenses include using `document.getElementById` instead of bare global lookups, accessing globals via `let`/`const`, locking sensitive properties on `window`, and configuring sanitizers to strip or namespace `id`/`name` attributes on user-controlled HTML.

Defences for DOM Clobbering typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: HTML namespace pollution, Named-element global hijack.