sanitize-html@1.1.0 vulnerabilities
Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis
-
latest version
2.13.1
-
latest non vulnerable version
-
first published
11 years ago
-
latest version published
2 months ago
-
licenses detected
- >=0
Direct Vulnerabilities
Known vulnerabilities in the sanitize-html package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Information Exposure when used on the backend and with the How to fix Information Exposure? Upgrade |
<2.12.1
|
sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade |
<2.7.1
|
sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Access Restriction Bypass. Internationalized domain name (IDN) is not properly handled. This allows attackers to bypass hostname whitelist validation set by the How to fix Access Restriction Bypass? Upgrade |
<2.3.1
|
sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Validation Bypass. There is no proper validation of the hostnames set by the How to fix Validation Bypass? Upgrade |
<2.3.2
|
sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using How to fix Arbitrary Code Execution? Upgrade |
<2.0.0-beta
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unescaped double quotes. Entering the following:
produces the following:
How to fix Cross-site Scripting (XSS)? Upgrade |
<1.2.3
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. If at least one PoC:
How to fix Cross-site Scripting (XSS)? Upgrade |
<1.11.4
|
Sanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup. Source: Node Security Project How to fix Cross-site Scripting (XSS)? Upgrade |
<=1.4.2
|
Since the sanitize-html module trusts 'text' coming from htmlparser2, and outputs it without further escaping (because htmlparser2 does not decode entities in text before delivering it), this results in an XSS attack vector if sanitize-html ignores the img tag (according to user-configured filter rules) but passes the text intact, as it must do to keep any text in documents. |
<1.4.3
|