Improper Input Validation in sanitize-html

Description

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the “allowedIframeHostnames” option.

Recommendation

Update the sanitize-html package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.3.1
• Patched version(s): 2.3.1

References

• GHSA-rjqq-98f6-6j3r
• advisory.checkmarx.net
• CVE-2021-26539
• CWE-20
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Improper Input Validation in sanitize-html - sanitize-html - CVE-2021-26540
• Improper Neutralization of Input in Theia console - CVE-2021-28161
• Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
• Cross-Site Scripting in sanitize-html - CVE-2017-16017

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

sanitize-html