GHSA-cmh5-qc8w-xvcq
GitHub Security Advisory
Cross-Site Scripting in i18next
Advisory Details
Affected versions of `i18next` may fail to sanitize user input when certain configuration options are used. When using the `.init` method, passing interpolation options without passing an `escapeValue` will default to `undefined` rather than the assumed `true`.
## Proof of Concept
```js
var init = i18n.init({
interpolation: {
prefix: "__",
suffix: "__",
escapeValue: true
}
}, function(){
var test = i18n.t('__firstName__ __lastName__', {
firstName: 'Bob',
lastName: '["foo","bar"]',
});
console.log(test);
});
```
When `escapeValue` is explicitly passed, the result of `test` is:
```html
<script>alert(1)</script> Johnson
```
This is supposed to be the default. However, if `escapeValue` is not included, the result is the unescaped string:
```html
<script>alert(1)</script> Johnson
```
## Recommendation
Update to version 3.4.4 or later.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.