apostrophecms/sanitize-html

apostrophecms/sanitize-html

Releases55

Frequency2 months 1 week

Last Release about 1 year ago

Stars4.13K

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2014-125128 ↗	Sep 8, 2025Monday, 8 September 2025, 11:15	6.1 MEDIUM	—
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.
CVE-2019-25225 ↗	Sep 8, 2025Monday, 8 September 2025, 10:15	6.1 MEDIUM	—
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.
CVE-2024-21501 ↗	Feb 24, 2024Saturday, 24 February 2024, 05:15	5.3 MEDIUM	—
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
CVE-2022-25887 ↗	Aug 30, 2022Tuesday, 30 August 2022, 05:15	5.3 MEDIUM	—
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
CVE-2021-26539 ↗	Feb 8, 2021Monday, 8 February 2021, 17:15	5.3 MEDIUM	5 MEDIUM
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
CVE-2021-26540 ↗	Feb 8, 2021Monday, 8 February 2021, 17:15	5.3 MEDIUM	5 MEDIUM
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
CVE-2017-16016 ↗	Jun 4, 2018Monday, 4 June 2018, 19:29	—	4.3 MEDIUM
Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.
CVE-2017-16017 ↗	Jun 4, 2018Monday, 4 June 2018, 19:29	—	4.3 MEDIUM
sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.