Cross-Site Scripting in sanitize-html (GHSA-3j7m-hmh3-9jmp)

Description

Affected versions of sanitize-html do not sanitize input recursively, which may allow an attacker to execute arbitrary Javascript.

Recommendation

Update the sanitize-html package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.4.3
• Patched version(s): 1.4.3

References

• GHSA-3j7m-hmh3-9jmp
• raw.githubusercontent.com
• www.npmjs.com
• CVE-2016-1000237
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-Site Scripting in sanitize-html (GHSA-xc6g-ggrc-qq4r) - CVE-2017-16016
• Cross-Site Scripting in sanitize-html - CVE-2017-16017
• Cross-Site Scripting in swagger-ui (GHSA-mrx7-8hxf-f853) - CVE-2016-1000233
• Cross-Site Scripting in swagger-ui (GHSA-7f59-x49p-v8mq) - CVE-2016-1000226

Tags:

npm

sanitize-html