CVE-2019-10062
Description
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. An attacker might also exploit a bug in how the SCRIPT string is processed by splitting and nesting them for example.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aurelia-frameworknpm | < 1.4.1 | 1.4.1 |
Affected products
2- Aurelia framework/Aurelia frameworkdescription
Patches
Vulnerability mechanics
Root cause
"The HTMLSanitizer only filters SCRIPT elements, failing to neutralize JavaScript in HTML attributes or nested/obfuscated script tags, leading to stored or reflected XSS."
Attack vector
An attacker can inject arbitrary JavaScript via HTML attributes (e.g., `onerror`, `onload`, `onclick`) on elements such as `<img>`, `<svg>`, or `<body>`, because the sanitizer only strips `<script>` tags [CWE-79][ref_id=1]. Additionally, the SCRIPT string filtering can be bypassed by splitting or nesting script elements (e.g., `<scr<script>ipt>`), allowing direct script execution [ref_id=1]. The attack requires no authentication and is delivered through any user-controllable input that is rendered as HTML by the Aurelia framework.
Affected code
The vulnerable class is `HTMLSanitizer` in the file `html-sanitizer.ts` (or its compiled JavaScript equivalent `html-sanitizer.js`) in the Aurelia framework 1.x repository [ref_id=1]. The sanitizer only attempts to filter SCRIPT elements, leaving all other HTML elements and their attributes unscrubbed.
What the fix does
No patch is present in the bundle. The advisory recommends that users either implement a custom sanitizer that properly filters all dangerous HTML elements and attributes, or disable the default sanitizer and use a well-vetted third-party HTML sanitization library [ref_id=1]. The root cause is that the `HTMLSanitizer` class only checks for SCRIPT elements, which is an incomplete blocklist approach that fails to cover the full XSS attack surface.
Preconditions
- configThe application must use the Aurelia framework's default HTMLSanitizer to process user-supplied HTML content.
- inputThe attacker must be able to supply HTML input that is rendered by the framework (e.g., via data-binding or innerHTML).
- networkNo authentication is required; the attack can be delivered over HTTP/HTTPS.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-m6j2-v3gq-45r5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10062ghsaADVISORY
- aurelia.iomitrex_refsource_MISC
- discourse.aurelia.io/t/xss-vulnerability-in-htmlsanitizer-might-be-insufficiently-handled/4219ghsaWEB
- github.com/aurelia/framework/issues/992ghsaWEB
- github.com/aurelia/templating-resources/blob/0cef07a8cac8e99146d8e1c4b734491bb3dc4724/src/html-sanitizer.jsghsax_refsource_MISCWEB
- www.gosecure.net/blog/2021/05/12/aurelia-framework-insecure-default-allows-xssghsaWEB
- www.gosecure.net/blog/2021/05/12/aurelia-framework-insecure-default-allows-xss/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.