Description
All versions of html-janitor are vulnerable to cross-site scripting (XSS).
Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous (XSS) in case user-controlled input is passed to the clean function.”
Recommendation
No fix is available yet. Followings are affected versions:
- < 2.0.4
References
- GHSA-fx46-whrj-73v5
- hackerone.com
- www.npmjs.com
- CVE-2017-0928
- CWE-547
- CWE-642
- CAPEC-310
- OWASP 2021-A4
- OWASP 2021-A5
- OWASP 2021-A6
Related Issues
- Cross-Site Scripting in html-janitor - CVE-2017-0931
- Sanitization bypass using HTML Entities in marked - CVE-2016-10531
- Cross-Site Scripting in sanitize-html - CVE-2017-16017
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Tags:
- npm
- html-janitor
Anything's wrong? Let us know Last updated on September 12, 2023