MEDIUM 6.1 npm
Cross-Site Scripting in sanitize-html
GHSA-wg96-3933-j2w5 · CVE-2017-16017
Published · Modified
Description
Affected versions of sanitize-html are vulnerable to cross-site scripting.
Proof of Concept:
<IMG SRC= onmouseover="alert('XSS');">
produces the following:
<img src="onmouseover="alert('XSS');"" />
This is definitely invalid HTML, but would suggest that it's being interpreted incorrectly by the parser.
Recommendation
Update to version 1.2.3 or later.
Ready to move
Start Securing
Free, no credit card | First findings in minutes