Skip to content

[CVE-2018-3740] Sanitize HTML injection vulnerability #176

Closed
@rgrove

Description

@rgrove

This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability.

Description

A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element.

Affected Versions

Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2

Mitigation

Upgrade to Sanitize 4.6.3 or higher.

History of this vulnerability

  • 2018-03-19: Reported by Shopify Application Security Team via email
  • 2018-03-19: Sanitize 4.6.3 released with a fix
  • 2018-03-19: Initial vulnerability report published

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions