Skip to content

chore(deps): update dependency sanitize-html to v2.17.4 [security]#863

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sanitize-html-vulnerability
Open

chore(deps): update dependency sanitize-html to v2.17.4 [security]#863
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sanitize-html-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 14, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
sanitize-html (source) 2.17.32.17.4 age confidence

Apostrophe has default XSS via xmp raw-text passthrough in sanitize-html

CVE-2026-44990 / GHSA-rpr9-rxv7-x643

More information

Details

Summary

Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized output back to users.

Details

In sanitize-html@2.17.3, the default nonTextTags list includes only script, style, textarea, and option in index.js lines 138-142. That means disallowed xmp tags are not treated as "drop the entire contents" tags.

Later, in the ontext handler at index.js lines 569-577, the code special-cases textarea and xmp and appends their text content directly to the output without escaping:

} else if ((options.disallowedTagsMode === 'discard' || options.disallowedTagsMode === 'completelyDiscard') && (tag === 'textarea' || tag === 'xmp')) {
  result += text;
}

Because htmlparser2 treats xmp as a raw-text element, markup inside xmp is parsed as text on input but becomes live markup again once it is appended unescaped to the sanitized output.

This creates a default sanitizer bypass. For example, a disallowed <xmp> wrapper can be used to smuggle <script> or event-handler payloads through sanitization.

The README also appears to contradict the implementation. In the "Discarding the entire contents of a disallowed tag" section, the documented exception list names only style, script, textarea, and option, and does not mention xmp.

PoC

Tested locally against sanitize-html@2.17.3 on Node.js v25.2.1.

  1. Install the package:
npm install sanitize-html
  1. Run the following script:
const sanitizeHtml = require('sanitize-html');

console.log(sanitizeHtml('<xmp><script>alert(1)</script></xmp>'));
console.log(sanitizeHtml('<xmp><img src=x onerror=alert(1)></xmp>'));
console.log(sanitizeHtml('<xmp><svg><script>alert(1)</script></svg></xmp>'));
  1. Observed output:
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg><script>alert(1)</script></svg>
  1. Render any of the returned strings in a browser context that trusts sanitize-html output, for example:
const dirty = '<xmp><script>alert(1)</script></xmp>';
const clean = sanitizeHtml(dirty);

If clean is inserted into the DOM or stored and later rendered as trusted HTML, the attacker-controlled script executes.

Impact

This is a cross-site scripting vulnerability in the default sanitizer behavior. Any application that uses sanitize-html defaults and then renders the returned HTML as trusted output is impacted. A remote attacker who can submit HTML content can trigger execution of arbitrary JavaScript in another user's browser when that content is viewed.

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

apostrophecms/apostrophe (sanitize-html)

v2.17.4

Changes
  • sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.
Security
  • Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • ""
  • Automerge
    • Monday through Friday (* * * * 1-5)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested review from a team and DariaYeremina as code owners May 14, 2026 22:51
@renovate renovate Bot enabled auto-merge (squash) May 14, 2026 22:51
@renovate renovate Bot force-pushed the renovate/npm-sanitize-html-vulnerability branch from 7fe6f55 to 7dd61fa Compare May 15, 2026 08:47
@renovate
chore(deps): update dependency sanitize-html to v2.17.4 [security]
6d6b249 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/npm-sanitize-html-vulnerability branch from 7dd61fa to 6d6b249 Compare May 15, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kongponents-bot kongponents-bot Awaiting requested review from kongponents-bot kongponents-bot is a code owner

@adamdehaven adamdehaven Awaiting requested review from adamdehaven adamdehaven is a code owner

@jillztom jillztom Awaiting requested review from jillztom jillztom is a code owner

@ValeryG ValeryG Awaiting requested review from ValeryG ValeryG is a code owner

@DariaYeremina DariaYeremina Awaiting requested review from DariaYeremina DariaYeremina is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies renovate-bot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants