Description
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the “allowedIframeHostnames” option when the “allowIframeRelativeUrls” is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with “/\example.com”.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.2
- Patched version(s): 2.3.2
References
Related Issues
- Improper Input Validation in sanitize-html - CVE-2021-26539
- Sanitize-html Vulnerable To REDoS Attacks - CVE-2022-25887
- bson-objectid contains Improper input validation - CVE-2019-19729
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
You might also like:
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on February 01, 2023


