EPSS
Percentile
49.3%
sanitize-html is vulnerable to hostname validation bypass. The package does not properly validate the iframe hostname in URL parser, allowing an IDNA (Internationalized Domain Name) iframe attack.
advisory.checkmarx.net/advisory/CX-2021-4308
github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
github.com/apostrophecms/sanitize-html/commit/ca4b62adbfc2b295e71ad8d60fc8af1367e38dae
github.com/apostrophecms/sanitize-html/pull/458