2393838 – (CVE-2019-25225) CVE-2019-25225 sanitize-html: sanitize-html cross site scripting

Bug 2393838 (CVE-2019-25225) - CVE-2019-25225 sanitize-html: sanitize-html cross site scripting

Summary: CVE-2019-25225 sanitize-html: sanitize-html cross site scripting

Keywords:
Status:	NEW
Alias:	CVE-2019-25225
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-08 11:01 UTC by OSIDB Bzimport
Modified:	2025-09-08 20:14 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-08 11:01:11 UTC

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
adudiak
alcohan
anjoseph
bdettelb
caswilli
doconnor
gparvin
jchui
jhe
jprabhak
kaycoth
kshier
ktsao
nboldt
njean
owatkins
pahickey
psrna
rhaigner
sdawley
sdoran
stcannon
teagle
wtam
yguenane