sanitize-html is vulnerable to privilege escalation. An attacker is able to bypass hostname whitelist for iframe element when the “allowIframeRelativeUrls” is set to true due to the hostnames set by the “allowedIframeHostnames” not properly validated.