Severity: high

Cross-Site Scripting



All versions of @risingstack/protect are vulnerable to Cross-Site Scripting. The isXss() XSS validator has several bypasses that may allow attackers to execute arbitrary JavaScript in a victim's browser.


No fix is currently available. Consider using an alternative package. The package is not actively maintained and will not be patched.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Aug 15th, 2019
  2. reported

    Reported by Cian McElhinney
    Aug 15th, 2019