Severity: high

Cross-Site Scripting



Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.


Upgrade to version 2.5.3 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Apr 19th, 2019
  2. reported

    Reported by tom
    Apr 18th, 2019