Cross-site Scripting (XSS)

Affecting sanitize-html package, versions <1.2.3

medium severity

Overview

sanitize-html is a library for scrubbing html input of malicious values.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unescaped double quotes.

Entering the following:

<IMG SRC= onmouseover="alert('XSS');">

produces the following:

<img src="onmouseover="alert('XSS');"" />

Remediation

Upgrade sanitize-html to version 1.2.3 or higher.

References

Credit
Jim O'Brien
Snyk ID
npm:sanitize-html:20140717
Disclosed
17 Jul, 2014
Published
16 Apr, 2017

Do your applications use this vulnerable package?