CVE-2018-3740: HTML injection/XSS

March 30, 2018 (updated December 28, 2018)

When sanitize is used in combination with libxml2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing attributes that are not specified in the allowlist to be used. This can allow HTML and JavaScript injection, which could result in XSS if the output is served to browsers.

References

github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e
github.com/rgrove/sanitize/issues/176

Detect and mitigate CVE-2018-3740 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →