CVE-2017-16016: XSS
First published: Mon Jun 04 2018(Updated: )
Affected versions of `sanitize-html` are vulnerable to cross-site scripting when allowedTags includes at least one `nonTextTag`. ## Proof of Concept ```js var sanitizeHtml = require('sanitize-html'); var dirty = '!<textarea></textarea><svg/onload=prompt`xs`></textarea>!'; var clean = sanitizeHtml(dirty, { allowedTags: [ 'textarea' ] }); console.log(clean); // !<textarea></textarea><svg/onload=prompt`xs`></textarea>! ``` ## Recommendation Update to version 1.11.4 or later.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Punkave Sanitize-html | <=1.11.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-16016
- https://github.com/punkave/sanitize-html/issues/100
- https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))
- https://github.com/advisories/GHSA-xc6g-ggrc-qq4r (Advisory)
- https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag
- https://www.npmjs.com/advisories/154
- https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403
- https://nodesecurity.io/advisories/154
Frequently Asked Questions
What is the severity of CVE-2017-16016?
CVE-2017-16016 is classified as a high severity vulnerability due to its potential for cross-site scripting attacks.
How do I fix CVE-2017-16016?
To fix CVE-2017-16016, update the 'sanitize-html' package to version 1.11.2 or later.
What are the affected versions of CVE-2017-16016?
CVE-2017-16016 affects versions of 'sanitize-html' up to and including 1.11.1.
What types of attacks can CVE-2017-16016 lead to?
CVE-2017-16016 can lead to cross-site scripting (XSS) attacks if user input is not properly sanitized.
Are there any workarounds for CVE-2017-16016?
A workaround for CVE-2017-16016 is to avoid using non-text tags in the allowedTags configuration within the 'sanitize-html' library.
- collector/github-advisory-latest
- alias/GHSA-xc6g-ggrc-qq4r
- alias/CVE-2017-16016
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/severity
- agent/remedy
- agent/references
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/npm
- vendor/punkave
- canonical/punkave sanitize-html
- version/punkave sanitize-html/1.11.1