Advisories for Npm/Sanitize-Html package

2024

sanitize-html Information Exposure vulnerability

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

2022
2021

Origin Validation Error

sanitize-html does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass the hostname allowlist validation set by the allowedIframeHostnames option.

Origin Validation Error

sanitize-html does not properly validate the hostnames set by the allowedIframeHostnames option when the allowIframeRelativeUrls is set to true, which allows attackers to bypass the hostname allow list for an iframe element.

2020
2018
2016

XSS Vulnerability

sanitize-html is vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.

2014