Cross-site Scripting (XSS)
Affecting sanitize-html package, versions <1.2.3
sanitize-html is a library for scrubbing html input of malicious values.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unescaped double quotes.
Entering the following:
<IMG SRC= onmouseover="alert('XSS');">
produces the following:
<img src="onmouseover="alert('XSS');"" />
These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like \< > \" \' are not escaped properly.
There are a few types of XSS:
- Persistent XSS is an attack in which the malicious code persists into the web app’s database.
- Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
sanitize-html to version 1.2.3 or higher.
Do your applications use this vulnerable package?
- Jim O'Brien
- Snyk ID
- 17 Jul, 2014
- 16 Apr, 2017