sanitize-html is vulnerable to XSS through incomprehensive sanitization

Severity:: Medium

Description

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

Recommendation

Update the sanitize-html package to the latest compatible version. Followings are version details:

Affected version(s): < 2.0.0-beta
Patched version(s): 2.0.0-beta

References

GHSA-qhxp-v273-g94h
CVE-2019-25225
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
Sanitize-html Vulnerable To REDoS Attacks - CVE-2022-25887
sanitize-html Information Exposure vulnerability - CVE-2024-21501
Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization - CVE-2026-6594

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; sanitize-html

Anything's wrong? Let us know Last updated on September 12, 2025