Cross-site Scripting (XSS)
Affecting sanitize-html package, versions <1.2.3
sanitize-html is a library for scrubbing html input of malicious values.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unescaped double quotes.
Entering the following:
<IMG SRC= onmouseover="alert('XSS');">
produces the following:
<img src="onmouseover="alert('XSS');"" />
sanitize-html to version 1.2.3 or higher.