Passing in a non-string 'html' argument can lead to unsanitized output

GHSA-qxg5-2qff-p49r · CVE-2021-32696

Published Jun 18, 2021 · Modified Mar 13, 2026

Description

A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function.

Impact

XSS

Patches

3.2.0

Workarounds

Ensure that the html parameter is a string before calling the function.

References

WEB https://github.com/ericnorris/striptags/security/advisories/GHSA-qxg5-2qff-p49r
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-32696
WEB https://github.com/ericnorris/striptags/commit/f252a6b0819499cd65403707ebaf5cc925f2faca
WEB https://github.com/ericnorris/striptags/releases/tag/v3.2.0
WEB https://www.npmjs.com/package/striptags

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes