Cross-site Scripting (XSS) Affecting html-janitor package, versions <2.0.4
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.08% (31st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:html-janitor:20180123
- published 11 Feb 2018
- disclosed 23 Jan 2018
- credit Martin Bajanik
Introduced: 23 Jan 2018
CVE-2017-0928 Open this link in a new tabHow to fix?
Upgrade html-janitor
to version 2.0.4 or higher.
Overview
html-janitor is a library that cleans up your markup and allows you to take control of your HTML.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous (XSS) in case user-controlled input is passed to the clean function.
PoC by Martin Bajanik
var myJanitor = new HTMLJanitor({tags:{p:{}}});
var cleanHtml = myJanitor.clean("<form><object onmouseover=alert(document.domain) name=_sanitized></object></form>")
console.log(cleanHtml)
// logs: <form><object onmouseover=alert(document.domain) name=_sanitized></object></form>