The Hidden Cost of Sanitization: How Secure Parsing Can Introduce New XSS Attack Surfaces
Ashish Kataria
Nullcon Goa 2026 · Day 1
Ashish Kataria's talk, "The Hidden Cost of Sanitization: How Secure Parsing Can Introduce New XSS Attack Surfaces," delivered at Nullcon, challenges the pervasive assumption that employing sanitization libraries automatically eliminates the risk of **Cross-Site Scripting (XSS)** vulnerabilities. Kataria, a Security Architect Engineer at Synopsys, presents a compelling argument that modern sanitization techniques, particularly when deployed in multi-stage pipelines, can inadvertently create *new* XSS attack surfaces rather than merely mitigating existing ones. His research delves into a novel class of XSS vulnerabilities that arise from fundamental mismatches in how different parsers—specifically, security sanitizers and web browsers—interpret and transform HTML content.
AI review
Kataria does something genuinely useful: he flips the sanitizer-as-solution narrative on its head and shows, with real CVEs and three enterprise case studies, that sanitizers can be the exploit primitive rather than the guard. The compositional security failure angle — specifically that chaining sanitizers creates emergent attack surfaces from parser disagreements — is well-argued and practically grounded.