CNNVD-202509-1102 Information
CNNVD ID
CNNVD-202509-1102
Related CVE
- CNNVD Published: 2025-09-08
Description (Chinese)
Apostrophe sanitize-html是美国Apostrophe公司的一个库。清理用户提交的 HTML,在每个元素的基础上保留列入白名单的元素和列入白名单的属性。 Apostrophe sanitize-html 2.0.0-beta之前版本存在安全漏洞,该漏洞源于sanitizeHtml函数在使用transformTags选项时未清理内容,可能导致跨站脚本攻击。
Description (English)
Apostrophe sanitize-html is a bank of the United States company Apostrophe. Clears the HTML submitted by the user, retaining the elements for the white list and the properties for the white list on the basis of each element. Apostrophe sanitize-html 2.0.0-beta has a security loophole, which stems from the fact that the SanitizeHtml function does not clear content when using the TransformTags option, which may result in a cross-site script attack.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
App1pro
Published
2025-09-08
Last Modified
2026-02-24
References
https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225 https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3 https://github.com/apostrophecms/sanitize-html/issues/293 https://github.com/apostrophecms/sanitize-html/pull/156 https://access.redhat.com/security/cve/cve-2019-25225
Patch
https://github.com/apostrophecms/sanitize-html/tags
Share on: