-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk: High] Arbitrary Code Execution in sanitize-html (due 10/9/20) #4026
Comments
This is currently used in typeahead.js here:
And. in filter-typeahead.js:
While the Snyk alert says "No remediation paths available", it says "Fixed in Beta 2.0". Clicking through to "More about this issue" link, then confusingly says "Remediation Upgrade sanitize-html to version 2.0.0-beta or higher" Attempts to upgrade to the 2.0 release candidate (or any of the 2.0 Beta versions)fails JS tests. There are other possible alternatives which I was unsuccessful in using as a replacement, but need more research on their usage: |
SInce the above comment, |
In package-.lock.json, we have postcss 8.0.9, sanitize-html has 8.0.2 listed there as requirement. Tried downgrading to 8.0.2 locally and get same errors. |
No remediation path at this time. |
Hi @johnnyporkchops, I was looking at other vulnerabilities in fec-cms and saw this changelog from sanitize-html in case it's useful at all:
(ref: https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md) |
The recommended remediation path , Error related to
|
Moving to Blocked since this is a lower risk vulnerability for us and has so many other hurdles |
We removed sanitize-html with this PR: #4500 |
Vulnerable module:
sanitize-html
Introduced through: sanitize-html@1.18.4
No known exploit
Fixed in: 2.0.0-beta
Detailed paths
Introduced through: fec-cms@1.0.0 › sanitize-html@1.18.4
Remediation: No remediation path available.
Overview
sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis
Affected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using transformTags could be vulnerable to code execution.
Completion criteria:
The text was updated successfully, but these errors were encountered: