Passing in a non-string 'html' argument can lead to unsanitized output
- Severity:
- Medium
Description
A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function.
Recommendation
Update the striptags package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.2.0
- Patched version(s): 3.2.0
References
- GHSA-qxg5-2qff-p49r
- www.npmjs.com
- CVE-2021-32696
- CWE-241
- CWE-79
- CWE-843
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- matrix-js-sdk can be tricked into disclosing E2EE room keys to a participating homeserver - CVE-2021-40823
- CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
- LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader - CVE-2026-27795
- Improper Input Validation in sanitize-html - sanitize-html - CVE-2021-26540
You might also like:
- Tags:
- npm
- striptags
Anything's wrong? Let us know Last updated on February 01, 2023


