Description
XSS vulnerability when the sanitizer is used with a contentEditable element to set the elements innerHTML to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation.
Recommendation
Update the @jitbit/htmlsanitizer package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.0.3
- Patched version(s): 2.0.3
References
Related Issues
- Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
- MathLive's Lack of Escaping of HTML allows for XSS - CVE-2025-29049
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- Tags:
- npm
- @jitbit/htmlsanitizer
Anything's wrong? Let us know Last updated on March 14, 2025