Apostrophe has default XSS via xmp raw-text passthrough in sanitize-html
Summary
Under the default configuration,sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized output back to users.Details
Insanitize-html@2.17.3, the default nonTextTags list includes only script, style, textarea, and option in index.js lines 138-142. That means disallowed xmp tags are not treated as "drop the entire contents" tags.Later, in the ontext handler at index.js lines 569-577, the code special-cases textarea and xmp and appends their text content directly to the output without escaping:
} else if ((options.disallowedTagsMode === 'discard' || options.disallowedTagsMode === 'completelyDiscard') && (tag === 'textarea' || tag === 'xmp')) {
result += text;
}Because htmlparser2 treats xmp as a raw-text element, markup inside xmp is parsed as text on input but becomes live markup again once it is appended unescaped to the sanitized output.
This creates a default sanitizer bypass. For example, a disallowed ` wrapper can be used to smuggle or event-handler payloads through sanitization.
The README also appears to contradict the implementation. In the "Discarding the entire contents of a disallowed tag" section, the documented exception list names only style, script, textarea, and option, and does not mention xmp.
PoC
Tested locally against sanitize-html@2.17.3 on Node.js v25.2.1.
- Install the package:
npm install sanitize-html
- Run the following script:
const sanitizeHtml = require('sanitize-html');console.log(sanitizeHtml('alert(1)'));
console.log(sanitizeHtml(''));
console.log(sanitizeHtml('alert(1)'));
- Observed output:
alert(1)alert(1)
- Render any of the returned strings in a browser context that trusts
sanitize-html output, for example:const dirty = 'alert(1)';
const clean = sanitizeHtml(dirty);
If
clean is inserted into the DOM or stored and later rendered as trusted HTML, the attacker-controlled script executes.Impact
This is a cross-site scripting vulnerability in the default sanitizer behavior. Any application that uses sanitize-html` defaults and then renders the returned HTML as trusted output is impacted. A remote attacker who can submit HTML content can trigger execution of arbitrary JavaScript in another user's browser when that content is viewed.