LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS ## Summary The `strip_html` filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (`<.*?>`) does not match line terminators, so any HTML tag containing a `\n` or `\r` character passes through unmodified. An attacker who can place a newline inside a tag (e.g. ``) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting `onerror`/`onload`/etc. handler. This results in stored or reflected XSS in any application that relies on `strip_html` to neutralize untrusted HTML. ## Details The vulnerable code is in `src/filters/html.ts`: ```ts // src/filters/html.ts:45-49 export function strip_html (this: FilterImpl, v: string) { const str = stringify(v) this.context.memoryLimit.use(str.length) return str.replace(/||<.*?>|/g, '') } ``` The regex has four alternations: 1. `` — uses `[\s\S]`, matches across newlines. 2. `` — uses `[\s\S]`, matches across newlines. 3. `<.*?>` — uses `.`, which in JavaScript does **not** match `\n` or `\r` (no `s`/dotAll flag set). 4. `` — uses `[\s\S]`, matches across newlines. Branch 3 is the catch-all for "any other tag." Because `.` excludes line terminators, a tag containing a newline does not match any alternative. The literal characters of the tag are passed through to the output. Browsers, however, parse HTML tag content with whitespace tolerance: per the HTML spec, attribute names and values may be separated by ASCII whitespace, which includes `\n` and `\r`. So `` is parsed as a valid `img` element with an `onerror` handler. `liquidjs`' default rendering pipeline does not auto-escape filter output (the `outputEscape` engine option is undefined by default — see `src/liquid-options.ts`), so the unescaped HTML is delivered verbatim to the consumer's HTML response. Trust path: - Application receives untrusted input (e.g. user comment field). - Developer renders it as `{{ comment | strip_html }}` to "safely" embed user content as plaintext. - Attacker submits ``. - `strip_html` returns the input unchanged. - Output is written into the HTML response with no further escaping. - Victim's browser executes the attacker's JavaScript in the application's origin. This is an inconsistency bug: the same regex correctly uses `[\s\S]` for `

CVE-2026-44644 Blast Radius

Is Your Infrastructure Using These Packages?