CVE-2017-16017

Vulnerability

sanitize-html is a Node.js library for sanitizing HTML input against malicious content. Versions prior to 1.2.3 contain a cross-site scripting (XSS) vulnerability in the HTML parsing logic. When the library encounters an empty, undelimited attribute (e.g., `), it fails to properly strip the injected event handler. Instead, the generated output becomes `, which embeds the attacker's JavaScript into a valid attribute, allowing script execution [1][4].

Exploitation

An attacker only needs to craft a malicious HTML string that includes empty, undelimited attributes, such as ``. No special network position or authentication is required. The attacker must trick a victim into rendering the sanitized output (e.g., via a comment, message, or user-generated content field) in a browser. The vulnerable sanitizer does not detect the unescaped double-quotes, so the inject is preserved in the output [2][4].

Impact

Successful exploitation results in stored or reflected cross-site scripting (XSS). The attacker's JavaScript executes in the context of the victim's browser, enabling session theft, credential harvesting, defacement, or further attacks against the application. The impact is moderate, but the vulnerability can be triggered without authentication if the application accepts user-supplied HTML [3].

Mitigation

Upgrade to sanitize-html version 1.2.3 or later, which was released to fix this issue. The fix strips any unescaped double-quotes from the output (pull request #20) [2]. The vulnerability is listed in the GitHub Advisory Database as GHSA-wg96-3933-j2w5 [3]. No workaround is available for older versions; users must update the package.