Moderate severityNVD Advisory· Published Jun 18, 2021· Updated Aug 3, 2024
Passing in a non-string 'html' argument can lead to unsanitized output
CVE-2021-32696
Description
The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
striptagsnpm | < 3.2.0 | 3.2.0 |
Affected products
2- Range: < 3.2.0
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qxg5-2qff-p49rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32696ghsaADVISORY
- github.com/ericnorris/striptags/commit/f252a6b0819499cd65403707ebaf5cc925f2facaghsax_refsource_MISCWEB
- github.com/ericnorris/striptags/releases/tag/v3.2.0ghsax_refsource_MISCWEB
- github.com/ericnorris/striptags/security/advisories/GHSA-qxg5-2qff-p49rghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/striptagsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.