Search for packages
| purl | pkg:npm/sanitize-html@1.2.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2nn3-ux99-pfde
Aliases: CVE-2016-1000237 GHSA-3j7m-hmh3-9jmp |
Cross-Site Scripting in sanitize-html |
Affected by 7 other vulnerabilities. |
|
VCID-4ha9-n2n3-2be8
Aliases: GMS-2016-57 |
XSS - Sanitization not applied recursively Sanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup. |
Affected by 7 other vulnerabilities. |
|
VCID-7j67-9wrp-ebb2
Aliases: CVE-2021-26539 GHSA-rjqq-98f6-6j3r |
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option. |
Affected by 3 other vulnerabilities. |
|
VCID-92y7-jps8-3ydr
Aliases: CVE-2024-21501 GHSA-rm97-x556-q36h |
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server. |
Affected by 0 other vulnerabilities. |
|
VCID-jgkq-5tyj-d3bg
Aliases: GMS-2014-17 |
Cross Site Scripting sanitize-html will merge an incomplete attribute like `SRC=` with the next attribute. While the result is not valid HTML it may be misinterpreted by the browser. |
Affected by 9 other vulnerabilities. |
|
VCID-jry7-364q-3bgh
Aliases: CVE-2022-25887 GHSA-cgfm-xwp7-2cvr |
Sanitize-html Vulnerable To REDoS Attacks |
Affected by 1 other vulnerability. |
|
VCID-rdn1-gbys-xyh2
Aliases: CVE-2021-26540 GHSA-mjxr-4v3x-q3m4 |
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com". |
Affected by 2 other vulnerabilities. |
|
VCID-sgfh-qpmp-pqa4
Aliases: CVE-2019-25225 GHSA-qhxp-v273-g94h |
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code. |
Affected by 4 other vulnerabilities. |
|
VCID-wkp2-3qm6-euah
Aliases: CVE-2017-16016 GHSA-xc6g-ggrc-qq4r |
Cross-Site Scripting in sanitize-html |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-wsu9-fzu9-s7b3
Aliases: GMS-2016-17 |
XSS Vulnerability sanitize-html is vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one `nonTextTags`, the result is a potential XSS vulnerability. |
Affected by 5 other vulnerabilities. |
|
VCID-yxgp-4afk-wyen
Aliases: CVE-2017-16017 GHSA-wg96-3933-j2w5 |
Cross-Site Scripting in sanitize-html |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||