CVE-2017-0928

Vulnerability

The html-janitor npm package before version 2.0.4 contains an External Control of Critical State Data vulnerability [1], [2]. The library uses an internal _sanitized variable to track whether input has been cleaned. Because this variable is user-controllable (e.g., via DOM clobbering or other property injection), an attacker can set it to a value that causes the sanitization logic to be skipped entirely [2].

Exploitation

No authentication or special network position is required if the application accepts user-supplied HTML and passes it to versions < 2.0.4. The attacker crafts input that sets _sanitized to a truthy or otherwise bypass-inducing value (DOM clobbering is the documented vector). The sanitizer then treats the data as already clean and returns it unmodified [2].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML or JavaScript into the output, leading to cross-site scripting (XSS) and potential theft of session cookies, data exfiltration, or other client-side attacks [2]. The scope is the same as the application's origin.

Mitigation

Upgrade to html-janitor version 2.0.4 or later, which was released in 2018 and fixes the vulnerability by properly isolating the _sanitized state variable [1], [2]. No workarounds are documented for older versions; updating is the recommended action.