Cross-Site Scripting

Overview

Affected versions of sanitize-html are vulnerable to cross-site scripting.

Proof of Concept:

<img src>
produces the following:

<img src />
This is definitely invalid HTML, but would suggest that it’s being interpreted incorrectly by the parser.

Recommendation

Update to version 1.2.3 or later.

References

• Issue #19
• PR #20
• GitHub Advisory