Description
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the “allowedIframeHostnames” option when the “allowIframeRelativeUrls” is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with “/\example.com”.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.2
- Patched version(s): 2.3.2
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- Trix allows Cross-site Scripting via `javascript:` url in a link - CVE-2025-21610
- @sveltejs/kit has unescaped error message included on error page - CVE-2024-53262
- CommonRegexJS Regular Expression Denial of Service vulnerability - CVE-2020-26305
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on February 01, 2023