CVE-2021-26540: Origin Validation Error
(updated )
sanitize-html does not properly validate the hostnames set by the allowedIframeHostnames
option when the allowIframeRelativeUrls
is set to true, which allows attackers to bypass the hostname allow list for an iframe element.
References
Detect and mitigate CVE-2021-26540 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →