CVE-2022-48345
Description
sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
sanitize-url before 6.0.2 allows XSS through HTML entities like : and 	 that bypass dangerous protocol detection.
Vulnerability
Description
The @braintree/sanitize-url library prior to version 6.0.2 contained a cross-site scripting (XSS) vulnerability caused by incomplete sanitization of HTML entities in user-supplied URLs. The library used regular expressions to detect and block dangerous protocols such as javascript: and data:. However, the detection logic did not account for HTML-encoded colons (:) or tab characters (	 or ), allowing an attacker to obfuscate the protocol [1][2].
Exploitation
An attacker could craft a URL such as javascript:alert('xss'); or javasc	ript:alert('XSS');. When parsed by the vulnerable sanitizer, these URLs were not recognized as containing a dangerous protocol because the colon was encoded or a tab entity interrupted the keyword. The output would be considered safe and could be passed to an HTML attribute like href. If the application then rendered this URL without additional encoding, the attacker's script would execute in the victim's browser. No authentication or special privileges are needed; the vulnerability is triggered simply by injecting the malicious string into a field sanitized by the library [2][3].
Impact
Successful exploitation enables arbitrary JavaScript execution in the context of the affected web page. This can lead to theft of sensitive data (cookies, tokens), session hijacking, defacement, or further malicious actions against the user's session. The XSS could be stored (e.g., in a comment field) or reflected (via crafted links).
Mitigation
The issue was patched in commit d4bdc89 and released in version 6.0.2 [2][4]. The fix added a regex to replace HTML tab entities with their numeric equivalents ( ) before evaluation and expanded the scheme detection regex to also match : [2]. Users should upgrade to @braintree/sanitize-url 6.0.2 or later. No workarounds have been provided; updating is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@braintree/sanitize-urlnpm | < 6.0.1 | 6.0.1 |
Affected products
3- @braintree/sanitize-url/sanitize-urldescription
- Range: <6.0.2
Patches
1d4bdc89f1743Fix html entity tab (#45)
3 files changed · +18 −1
CHANGELOG.md+5 −0 modified@@ -1,5 +1,10 @@ # CHANGELOG +## unreleased + +- Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized +- Fix issue where urls in the form `javasc	ript:alert('XSS');` were not properly sanitized + ## 6.0.0 **Breaking Changes**
src/index.ts+3 −1 modified@@ -1,8 +1,9 @@ const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im; const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; +const htmlTabEntityRegex = /&tab;/gi; const ctrlCharactersRegex = /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim; -const urlSchemeRegex = /^([^:]+):/gm; +const urlSchemeRegex = /^.+(:|:)/gim; const relativeFirstCharacters = [".", "/"]; function isRelativeUrlWithoutProtocol(url: string): boolean { @@ -11,6 +12,7 @@ function isRelativeUrlWithoutProtocol(url: string): boolean { // adapted from https://stackoverflow.com/a/29824550/2601552 function decodeHtmlCharacters(str: string) { + str = str.replace(htmlTabEntityRegex, "	"); return str.replace(htmlEntitiesRegex, (match, dec) => { return String.fromCharCode(dec); });
src/__tests__/test.ts+10 −0 modified@@ -100,6 +100,7 @@ describe("sanitizeUrl", () => { "javascript:alert('XSS')", "jav	ascript:alert('XSS');", "  javascript:alert('XSS');", + "javasc	ript: alert('XSS');", ]; attackVectors.forEach((vector) => { @@ -136,6 +137,15 @@ describe("sanitizeUrl", () => { ); }); + it(`disallows ${protocol} urls that use : for the colon portion of the url`, () => { + expect(sanitizeUrl(`${protocol}:alert(document.domain)`)).toBe( + "about:blank" + ); + expect(sanitizeUrl(`${protocol}&COLON;alert(document.domain)`)).toBe( + "about:blank" + ); + }); + it(`disregards capitalization for ${protocol} urls`, () => { // upper case every other letter in protocol name const mixedCapitalizationProtocol = protocol
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q8gg-vj6m-hgmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-48345ghsaADVISORY
- github.com/braintree/sanitize-url/commit/d4bdc89f1743fe3cdb7c3f24b06e4c875f349b0cghsaWEB
- github.com/braintree/sanitize-url/compare/v6.0.0...v6.0.1ghsaWEB
- github.com/braintree/sanitize-url/compare/v6.0.1...v6.0.2ghsaWEB
News mentions
0No linked articles in our index yet.