LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

Severity:: Medium

Description

The strip_html filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified.

Recommendation

No fix is available yet. Followings are affected versions:

<= 10.25.7

References

GHSA-2qv6-9wx5-cwv4
CVE-2026-44644
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex - CVE-2026-45617
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) - CVE-2026-45357
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Tags:: npm; liquidjs

Anything's wrong? Let us know Last updated on May 27, 2026