sanitize-html@1.2.3 vulnerabilities

Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis

Direct Vulnerabilities

Known vulnerabilities in the sanitize-html package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

How to fix Information Exposure?

Upgrade sanitize-html to version 2.12.1 or higher.

<2.12.1
  • M
Regular Expression Denial of Service (ReDoS)

sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade sanitize-html to version 2.7.1 or higher.

<2.7.1
  • M
Access Restriction Bypass

sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Access Restriction Bypass. Internationalized domain name (IDN) is not properly handled. This allows attackers to bypass hostname whitelist validation set by the allowedIframeHostnames option.

How to fix Access Restriction Bypass?

Upgrade sanitize-html to version 2.3.1 or higher.

<2.3.1
  • M
Validation Bypass

sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Validation Bypass. There is no proper validation of the hostnames set by the allowedIframeHostnames option when the allowIframeRelativeUrls is set to true. This allows attackers to bypass the hostname whitelist for the iframe element.

How to fix Validation Bypass?

Upgrade sanitize-html to version 2.3.2 or higher.

<2.3.2
  • C
Arbitrary Code Execution

sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using transformTags could be vulnerable to code execution.

How to fix Arbitrary Code Execution?

Upgrade sanitize-html to version 2.0.0-beta or higher.

<2.0.0-beta
  • M
Cross-site Scripting (XSS)

sanitize-html is a library for scrubbing html input of malicious values.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. If at least one nonTextTags tag is allowed, a malicious user may potentially conduct an XSS attack.

PoC:

var sanitizeHtml = require('sanitize-html');

var dirty = '!<textarea>&lt;/textarea&gt;<svg/onload=prompt`xs`&gt;</textarea>!';
var clean = sanitizeHtml(dirty, {
    allowedTags: [ 'textarea' ]
});

console.log(clean);

// !<textarea></textarea><svg/onload=prompt`xs`></textarea>!

How to fix Cross-site Scripting (XSS)?

Upgrade sanitize-html to version 1.11.4 or later.

<1.11.4
  • M
Cross-site Scripting (XSS)

sanitize-html is a library for scrubbing html input of malicious values.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. If at least one nonTextTags tag is allowed, a malicious user may potentially conduct an XSS attack.

PoC:

var sanitizeHtml = require('sanitize-html');

var dirty = '!<textarea>&lt;/textarea&gt;<svg/onload=prompt`xs`&gt;</textarea>!';
var clean = sanitizeHtml(dirty, {
    allowedTags: [ 'textarea' ]
});

console.log(clean);

// !<textarea></textarea><svg/onload=prompt`xs`></textarea>!

How to fix Cross-site Scripting (XSS)?

Upgrade sanitize-html to version 1.11.4 or later.

<1.11.4
  • M
Cross-site Scripting (XSS)

Sanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup.

Source: Node Security Project

How to fix Cross-site Scripting (XSS)?

Upgrade sanitize-html to 1.4.3 or later

<=1.4.2
  • M
Cross-site Scripting (XSS)

Since the sanitize-html module trusts 'text' coming from htmlparser2, and outputs it without further escaping (because htmlparser2 does not decode entities in text before delivering it), this results in an XSS attack vector if sanitize-html ignores the img tag (according to user-configured filter rules) but passes the text intact, as it must do to keep any text in documents.

<1.4.3
  • M
Cross-site Scripting (XSS)

Since the sanitize-html module trusts 'text' coming from htmlparser2, and outputs it without further escaping (because htmlparser2 does not decode entities in text before delivering it), this results in an XSS attack vector if sanitize-html ignores the img tag (according to user-configured filter rules) but passes the text intact, as it must do to keep any text in documents.

<1.4.3