CVE-2026-53606
Description
sanitize-html prior to 2.17.5 allows XSS via javascript: URIs in URI-bearing attributes not covered by the default scheme validation list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
sanitize-html prior to 2.17.5 allows XSS via javascript: URIs in URI-bearing attributes not covered by the default scheme validation list.
Vulnerability
sanitize-html versions prior to 2.17.5 use the allowedSchemesAppliedToAttributes list (default: ['href', 'src', 'cite']) to gate the naughtyHref() function that blocks dangerous URI schemes like javascript: and vbscript:. However, the HTML specification defines over 10 attributes that accept URIs (e.g., action, formaction, data, poster, background, ping, xlink:href, dynsrc, lowsrc), none of which are in the default gate list. When a developer explicitly allows any of these attributes in their sanitize-html configuration, javascript: URIs pass through unmodified, enabling stored or reflected XSS [1].
Exploitation
Exploitation requires non-default configuration: the developer must allow a non-default tag (e.g., `) and a non-default URI-bearing attribute (e.g., action). An attacker can then craft HTML containing the allowed tag with a javascript: URI in the attribute. For example, Click` would execute arbitrary JavaScript when the attribute is triggered (e.g., form submission). This is a common configuration pattern in CMS platforms, form builders, and rich content editors [1].
Impact
Successful exploitation leads to cross-site scripting (XSS), allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, cookie theft, defacement, or redirection to malicious sites. The CVSS score is 5.4 (MEDIUM) with scope change [1].
Mitigation
Upgrade to sanitize-html version 2.17.5 or later, which fixes the issue by expanding the default allowedSchemesAppliedToAttributes list or implementing additional validation. Alternatively, developers should avoid allowing URI-bearing attributes unless absolutely necessary, and if required, ensure that allowedSchemesAppliedToAttributes includes all permitted attributes. No workaround exists for vulnerable versions without changing configuration [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.17.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation: `allowedSchemesAppliedToAttributes` does not include all URI-bearing HTML attributes, so `naughtyHref()` is never called for attributes like `action`, `formaction`, or `data`."
Attack vector
An attacker supplies an HTML payload containing a URI-bearing attribute (e.g., `action="javascript:alert(document.cookie)"`) on a tag that the application has explicitly allowed. Because the attribute name is not in the default `allowedSchemesAppliedToAttributes` list, `naughtyHref()` is never called, and the `javascript:` URI passes through unmodified [ref_id=1]. When a victim user interacts with the crafted element—such as submitting a form or clicking a button—the browser executes the attacker's JavaScript, resulting in stored or reflected XSS.
Affected code
The vulnerability resides in sanitize-html's `index.js` where `allowedSchemesAppliedToAttributes` (defaulting to `['href', 'src', 'cite']`) gates the `naughtyHref()` scheme validation. The list does not include URI-bearing attributes like `action`, `formaction`, `data`, `poster`, or `background`. When a developer allows any of these attributes, `javascript:` URIs bypass scheme checking entirely.
What the fix does
The advisory recommends either expanding the default `allowedSchemesAppliedToAttributes` list to include all URI-bearing attributes defined by the HTML spec (e.g., `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), or inverting the gate to apply `naughtyHref()` to every attribute by default [ref_id=1]. Either approach ensures that dangerous URI schemes are blocked regardless of which attribute carries the value, closing the XSS vector.
Preconditions
- configThe application must use `sanitize-html` with a non-default configuration that allows a tag (e.g., ``, ``, ``) and one of its URI-bearing attributes (e.g., `action`, `formaction`, `data`).
- inputThe attacker must be able to supply untrusted HTML that includes the vulnerable tag and attribute combination.
Reproduction
```javascript const sanitize = require('sanitize-html');
// ===== VECTOR 1: form action ===== const v1 = sanitize( '<form action="javascript:alert(document.cookie)"><button>Submit</button></form>', { allowedTags: ['form', 'button'], allowedAttributes: { form: ['action'] } } ); console.log('V1 (action):', v1); // OUTPUT: <form action="javascript:alert(document.cookie)"><button>Submit</button></form> ``` [ref_id=1]
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.