htmr@0.6.1 vulnerabilities

Simple and lightweight (< 2kB) HTML to React converter that works in server and browser

  • latest version

    1.0.2

  • latest non vulnerable version

  • first published

    7 years ago

  • latest version published

    2 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the htmr package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Sripting (XSS)

    htmr is a simple and lightweight conversion library from HTML string to react element coversions.

    Affected versions of this package are vulnerable to Cross-site Sripting (XSS). This module uses innerHTML ref to unescape HTML entities. This leads to DOM-based XSS by inserting HTML-encoded XSS payload (see PoC).

    PoC

    1. Create a React app: create-react-app xss-htmr
    2. Install htmr module: cd xss-htmr; npm i htmr
    3. Edit src/App.js file to this:
    import React from 'react';
    import convert from 'htmr';
    
    export default function App() {
      return convert(`<p>Hash: ${window.location.hash}</p>`);
    }
    
    1. Run the server: npm run start
    2. Visit http://localhost:3000/#&lt;img/src/onerror=alert('xss')&gt;, an alert will popup.

    How to fix Cross-site Sripting (XSS)?

    Upgrade htmr to version 0.8.7 or higher.

    <0.8.7