DOM Clobbering.

A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining. Cette notion relève de la catégorie Sécurité applicative en cybersécurité.

A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining.

DOM clobbering exploits a legacy DOM feature: any HTML element with an `id` or `name` attribute is exposed as a property on `window` (and, for form fields, on its parent form). An attacker who can inject limited HTML — say through a markdown renderer or a relaxed sanitizer — can therefore create variables that override or define globals, even with all script tags blocked. Classic targets include `window.config`, library globals such as `_wpemojiSettings`, and properties a strict CSP otherwise protects. Modern research (Khodayari & Pellegrino, Heyes, and the 2023 attacks on widely used sanitizers like DOMPurify) demonstrated reliable gadget chains turning HTML-only injection into full XSS by hijacking framework lookups (`window.config.url`, `document.currentScript.src`). Defenses include using `document.getElementById` instead of bare global lookups, accessing globals via `let`/`const`, locking sensitive properties on `window`, and configuring sanitizers to strip or namespace `id`/`name` attributes on user-controlled HTML.

Les défenses contre DOM Clobbering combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : HTML namespace pollution, Named-element global hijack.