VYPR
← All advisories
Moderate severityOSV Advisory· Published Sep 8, 2025· Updated Sep 8, 2025

CVE-2019-25225

CVE-2019-25225

Description

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

sanitize-html before 2.0.0-beta fails to sanitize content-sanitize when using the custom transformTags option, allowing XSS via malicious input.

Vulnerability

Overview

CVE-2019-25225 is a Cross-site Scripting (XSS) vulnerability in the sanitize-html library, affecting all versions prior to version 2.0.0-beta. The flaw resides in the sanitizeHtml() function within index.js. When the custom transformTags option is used—a feature intended to convert attribute values into text—the library—the library does not properly sanitize the resulting content. As a result, malicious input can be transformed into executable HTML/JavaScript code [1][2].

Attack

Vector and Exploitation

An attacker can exploit this vulnerability by providing crafted HTML input that, when processed by sanitize-html with a transformTags policy, results in the injection of script content. The transformTags option allows users to define custom transformations, such as converting an ` element's value attribute into the text content of a different tag. The proof-of-concept demonstrates that an input like can be transformed into <script>alert(1)</script>`, where the escaped script tag is not further sanitized and can be rendered as executable code in a browser [2][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session can lead to theft of sensitive data, session hijacking, defacement, or other malicious actions typically associated with stored or reflected XSS attacks. The vulnerability is particularly dangerous because sanitize-html is commonly used to clean user-submitted HTML, and the transformTags feature is intended to make such transformations safe [1][3].

Mitigation

The vulnerability is fixed in version 2.0.0-beta and later. Users should upgrade to a patched version immediately. The fix ensures that text content generated by transformTags is properly escaped before being inserted into the output, as shown in the commit that adds escapeHtml(frame.innerText) [4]. No workaround is available for unpatched versions.

References
  1. NVD - CVE-2019-25225
  2. Vulnerabilities-Proofs-of-Concept/2019/CVE-2019-25225 at main · Checkmarx/Vulnerabilities-Proofs-of-Concept
  3. GitHub - apostrophecms/sanitize-html: Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
  4. Merge pull request #156 from mikesamuel/master · apostrophecms/sanitize-html@712cb68

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sanitize-htmlnpm
< 2.0.0-beta2.0.0-beta

Affected products

2

Patches

1
712cb6895825

Merge pull request #156 from mikesamuel/master

https://github.com/apostrophecms/sanitize-htmlAlex BeaJul 16, 2020via ghsa
commit
2 files changed · +26 1
  • index.js+1 1 modified
    @@ -390,7 +390,7 @@ function sanitizeHtml(html, options, _recursing) {
       } else {
         result += '>';
         if (frame.innerText && !hasText && !options.textFilter) {
-          result += frame.innerText;
+          result += escapeHtml(frame.innerText);
         }
       }
       if (skip) {
  • test/test.js+25 0 modified
    @@ -703,6 +703,31 @@ describe('sanitizeHtml', function() {
       '<img src="fallback.jpg" srcset="foo.jpg 100w 2x, bar.jpg 200w 1x" />'
     );
   });
+
+  it('text from transformTags should not specify tags', function() {
+    var input = '<input value="&lt;script&gt;alert(1)&lt;/script&gt;">';
+    var want = '<u class="inlined-input">&lt;script&gt;alert(1)&lt;/script&gt;</u>';
+    // Runs the sanitizer with a policy that turns an attribute into
+    // text.  A policy like this might be used to turn inputs into
+    // inline elements that look like the original but which do not
+    // affect form submissions.
+    var got = sanitizeHtml(
+        input,
+        {
+          allowedTags: [ 'u' ],
+          allowedAttributes: { '*': ['class'] },
+          transformTags: {
+            input: function (tagName, attribs) {
+              return {
+                tagName: 'u',
+                attribs: { class: 'inlined-input' },
+                text: attribs.value
+              };
+            }
+          }
+        });
+    assert.equal(got, want);
+  });
   it('drop attribute names with meta-characters', function() {
     assert.equal(
       sanitizeHtml('<span data-<script>alert(1)//>', {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.