Closed
Description
This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability.
Description
A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element.
Affected Versions
Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2
Mitigation
Upgrade to Sanitize 4.6.3 or higher.
History of this vulnerability
- 2018-03-19: Reported by Shopify Application Security Team via email
- 2018-03-19: Sanitize 4.6.3 released with a fix
- 2018-03-19: Initial vulnerability report published