CNNVD-202509-1100 Information

Sep 08, 2025 cve

CNNVD ID

CNNVD-202509-1100

CVE-2014-125128

  • CNNVD Published: 2025-09-08

Description (Chinese)

Apostrophe sanitize-html是美国Apostrophe公司的一个库。清理用户提交的 HTML,在每个元素的基础上保留列入白名单的元素和列入白名单的属性。 Apostrophe sanitize-html 1.0.3之前版本存在安全漏洞,该漏洞源于naughtyHref函数未正确验证超链接属性,可能导致跨站脚本攻击。

Description (English)

Apostrophe sanitize-html is a bank of the United States company Apostrophe. Clears the HTML submitted by the user, retaining the elements for the white list and the properties for the white list on the basis of each element. Apostrophe sanitize-html 1.0.3 has a security loophole, which stems from the fact that the Naughty Href function does not correctly verify hyperlink properties and may result in a cross-site script attack.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

App1pro

Published

2025-09-08

Last Modified

2026-02-24

References

https://github.com/apostrophecms/sanitize-html/issues/1 https://github.com/apostrophecms/sanitize-html/commit/889d4ec968e175f1905b2eb9d33f1fa89217cb02 https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125128 https://github.com/apostrophecms/sanitize-html/commit/423b90e06e1e85245eccedaabeb3a82840c6cd86 https://access.redhat.com/security/cve/cve-2014-125128

Patch

https://github.com/apostrophecms/sanitize-html/tags

Share on: