Severity: high

    Cross-Site Scripting



    Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.


    Upgrade to version 2.5.3 or later.

    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Apr 19th, 2019
    2. reported

      Reported by tom
      Apr 18th, 2019