Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-wg96-3933-j2w5

GitHub Security Advisory

Cross-Site Scripting in sanitize-html

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Affected versions of `sanitize-html` are vulnerable to cross-site scripting.

## Proof of Concept:

`<IMG SRC= onmouseover="alert('XSS');">`
produces the following:

`<img src="onmouseover="alert('XSS');"" />`
This is definitely invalid HTML, but would suggest that it's being interpreted incorrectly by the parser.

## Recommendation

Update to version 1.2.3 or later.

Affected Packages

npm sanitize-html
Affected versions: 0 (fixed in 1.2.3)

Related CVEs

CVE-2017-16017

Key Information

GHSA ID
GHSA-wg96-3933-j2w5
Published
November 9, 2018 5:45 PM
Last Modified
September 8, 2023 11:10 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
sanitize-html
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.