GMS-2020-438: HTML Injection in preact

September 2, 2020 (updated September 27, 2021)

Versions of preact on prerelease tags alpha and beta are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization. Upgrade to .

References

github.com/advisories/GHSA-cg48-9hh2-x6mx
github.com/developit/preact/pull/1528
github.com/developit/preact/releases/tag/10.0.0-beta.1
medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1
www.npmjs.com/advisories/835

Detect and mitigate GMS-2020-438 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →