Sanitize vulnerable to Improper Input Validation and Cross-site Scripting

2018-03-2111:56:32

Google

osv.dev

0.001 Low

EPSS

Percentile

50.1%

JSON

When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

This can allow HTML and JavaScript injection, which could result in XSS if Sanitize’s output is served to browsers.

CPENameOperatorVersion
sanitizeeq4.1.0
sanitizeeq4.5.0
sanitizeeq4.2.0
sanitizeeq4.0.0
sanitizeeq4.4.0
sanitizeeq4.6.0
sanitizeeq4.0.1
sanitizeeq3.0.4
sanitizeeq4.6.2
sanitizeeq3.1.0

Name	Operator	Version
sanitize	eq	4.1.0
sanitize	eq	4.5.0
sanitize	eq	4.2.0
sanitize	eq	4.0.0
sanitize	eq	4.4.0
sanitize	eq	4.6.0
sanitize	eq	4.0.1
sanitize	eq	3.0.4
sanitize	eq	4.6.2
sanitize	eq	3.1.0