Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[CVE-2018-3740] Sanitize HTML injection vulnerability #176
This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability.
A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element.
Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2
Upgrade to Sanitize 4.6.3 or higher.
History of this vulnerability