sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements

Description

Commit 49d0bb7 introduced a regression in sanitize-html that bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). Entity-encoded HTML inside these elements passes through the sanitizer as decoded, unescaped HTML, allowing injection of arbitrary tags including XSS payloads.

Recommendation

Update the sanitize-html package to the latest compatible version. Followings are version details:

• Affected version(s): >= 2.17.2, < 2.17.3
• Patched version(s): 2.17.3

References

• GHSA-9mrh-v2v3-xpfm
• CVE-2026-40186
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
• fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
• LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS - CVE-2026-44644
• OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal - CVE-2026-35570

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

sanitize-html