Severity: moderate

    Sanitization Bypass

    striptags

    Overview

    A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function.

    Impact

    XSS

    Workarounds

    Ensure that the html parameter is a string before calling the function.

    Remediation

    Upgrade to version 3.2.0 or later

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Jun 21st, 2021
    2. reported

      Reported by Anonymous
      Jun 21st, 2021