CVE-2017-0931
Description
html-janitor npm package before 2.0.3 is vulnerable to Cross-Site Scripting (XSS) via the clean() function accepting unsanitized user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
html-janitor npm package before 2.0.3 is vulnerable to Cross-Site Scripting (XSS) via the clean() function accepting unsanitized user input.
Vulnerability
The html-janitor npm package (versions <2.0.3) contains a Cross-Site Scripting (XSS) vulnerability in the clean() function. The function accepts user-controlled values without proper sanitization, allowing malicious HTML/JavaScript to pass through. This affects all versions prior to 2.0.3 [1][2].
Exploitation
An attacker can supply crafted HTML input to the clean() function. No authentication or special network position is required if the application passes untrusted user data to clean(). The attacker's input is processed and returned unsanitized, leading to execution of arbitrary scripts in the context of the user's browser [1][2].
Impact
Successful exploitation results in stored or reflected Cross-Site Scripting (XSS), enabling the attacker to execute arbitrary JavaScript, steal session cookies, deface pages, or perform actions on behalf of the victim user. The impact depends on the application's use of html-janitor [1][2].
Mitigation
Upgrade to html-janitor version 2.0.3 or later, which fixes the vulnerability. No workaround is available. The fix was released on the npm registry and is referenced in the GitHub advisory [2]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
html-janitornpm | < 2.0.3 | 2.0.3 |
Affected products
2- HackerOne/html-janitor node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-hfj4-96f7-6r5gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-0931ghsaADVISORY
- github.com/guardian/html-janitor/issues/34ghsax_refsource_MISCWEB
- hackerone.com/reports/308155ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/576ghsaWEB
News mentions
0No linked articles in our index yet.