Improper Encoding or Escaping of Output

Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An...

NPM: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

NPM: Apostrophe has default XSS via xmp raw-text passthrough in sanitize-html vulnerability discovered by ? in WordPress Npm sanitize-html versions 2.17.3...

EUVD-2018-0784

Malware in sbrugna...

EUVD-2022-6537

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2019-25225

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting XSS. The sanitizeHtml function in index.js does not sanitize content when using...

CVE-2014-125128

'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...

08cms (=1.0.0), 10secondsofcode-custom (=1.0.0) +3097 more potentially affected by CVE-2019-25225 via sanitize-html (>=0.1.4 <=1.7.0)

sanitize-html NPM version =0.1.4, =1.0.0, =1.0.0, =1.0.0, =0.6.0, =0.1.0, =0.1.0, =11.1.0, =1.0.0, =1.0.1, =0.2.0, =0.1.0, =0.19.1-rc.2, =0.19.1-rc.4 and more Source cves: CVE-2019-25225 Source advisory: OSV:GHSA-QHXP-V273-G94H...

08cms (=1.0.0), 10secondsofcode-custom (=1.0.0) +6355 more potentially affected by CVE-2022-25887 via sanitize-html (>=0.1.4 <=2.7.0)

sanitize-html NPM version =0.1.4, =1.0.0, =0.15.4, =4.11.0, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =0.0.74, =0.0.14, =0.0.1, =0.0.1, =0.6.0, =3.0.19, =3.0.25 and more Source cves: CVE-2022-25887 Source advisory: OSV:GHSA-CGFM-XWP7-2CVR...

5etools-utils (>=0.15.4 <=0.16.8), 7ghost (>=4.11.0 <=4.11.46) +3577 more potentially affected by CVE-2022-25887 via sanitize-html (>=2.10.0 <=2.7.0)

sanitize-html NPM version =2.10.0, =0.15.4, =4.11.0, =0.1.0, =1.0.0, =0.0.74, =0.0.14, =0.0.1, =0.0.1, =3.0.19, =1.3.0, =2.6.0, =2.0.0, =0.0.1, =0.0.5, =2.5.1 and more Source cves: CVE-2022-25887 Source advisory: SNYK:JS-SANITIZEHTML-2957526...

08cms (=1.0.0), 10secondsofcode-custom (=1.0.0) +6233 more potentially affected by CVE-2021-26539 via sanitize-html (>=0.1.4 <=2.3.0)

sanitize-html NPM version =0.1.4, =1.0.0, =0.15.4, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =0.0.74, =0.0.14, =0.0.1, =0.6.0, =3.0.19, =1.3.0, =2.6.0, =6.0.1 and more Source cves: CVE-2021-26539 Source advisory: OSV:GHSA-RJQQ-98F6-6J3R...

Privilege Escalation

sanitize-html is vulnerable to privilege escalation. An attacker is able to bypass hostname whitelist for iframe element when the "allowIframeRelativeUrls" is set to true due to the hostnames set by the "allowedIframeHostnames" not properly validated...

CVE-2016-1000237

sanitize-html before 1.4.3 has XSS...

CVE-2016-1000237

sanitize-html before 1.4.3 has XSS...

PT-2020-7942

Name of the Vulnerable Software and Affected Versions: sanitize-html versions prior to 1.4.3 Description: The issue allows an attacker to execute arbitrary Javascript due to the lack of recursive sanitization of input in affected versions of sanitize-html. Recommendations: Update to version 1.4.3...