Description
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the “allowedIframeHostnames” option when the “allowIframeRelativeUrls” is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with “/\example.com”.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.2
- Patched version(s): 2.3.2
References
Related Issues
- Improper Input Validation in sanitize-html - CVE-2021-26539
- Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
- Improper Neutralization of Input in Theia console - CVE-2021-28161
- Improper Input Validation in SocksJS-Node - CVE-2020-7693
You might also like:
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on February 01, 2023