Design/Logic Flaw

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of...

Node.js third-party modules: [html-janitor] Bypassing sanitization using DOM clobbering

Module: Name: html-janitor Version: 2.0.2 Summary: Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous XSS in case user-controlled input is passed to the clean function. Description: Proof of concept: javascript var myJanitor = new HTMLJanitortags:p:; var...