sanitize-html Cross-Site Scripting Vulnerability in href Attribute Validation

A cross-site scripting (XSS) vulnerability has been identified in the npm package 'sanitize-html', in versions prior to 1.0.3. The issue arises in the 'naughtyHref' function, which fails to properly validate the 'href' attribute of anchor tags. This lack of validation allows malicious links to bypass the sanitizer by using mixed case, whitespace, or hexadecimal encodings. Exploitation of this vulnerability enables the execution of JavaScript embedded in the 'href' attribute.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject and execute malicious JavaScript in the context of the user's browser.

Reproduction

To reproduce this vulnerability, install 'sanitize-html' version 1.0.1 and run a server that uses this version. Then, navigate to a page that includes a link with a 'javascript:' URL in the 'href' attribute. Clicking the link will trigger a JavaScript alert, demonstrating the successful execution of injected script.

Remediation

Users can upgrade to 'sanitize-html' version 1.0.3 or later, where this vulnerability has been addressed.