Express XSS Sanitizer Allowed Tags and Attributes Bypass Vulnerability

A vulnerability exists in Express XSS Sanitizer middleware for Express versions 4.x and 5.x, specifically in versions through 2.0.1. The issue arises because the library ignores restrictive sanitization settings when developers explicitly define empty allowedTags or allowedAttributes. This oversight allows a broader range of HTML elements and attributes than intended, potentially leading to Cross-Site Scripting (XSS) attacks. The vulnerability occurs because the validation logic incorrectly assesses empty configurations as 'not provided', defaulting to more permissive settings that could be exploited, depending on how the sanitized output is used.

Impact

This vulnerability can result in the injection of unintended HTML elements and attributes, including links via anchor tags, and could introduce XSS vectors based on how the sanitized content is rendered or utilized.

Reproduction

To reproduce this vulnerability, use Express XSS Sanitizer version 2.0.1 or earlier. Sanitize an input string containing HTML, such as a link or a script tag, while providing empty configurations for allowedTags and allowedAttributes. The sanitizer will incorrectly allow the injected HTML, contrary to the expected behavior of removing all tags and attributes.

Remediation

Users can upgrade to Express XSS Sanitizer version 2.0.2, where this vulnerability has been addressed by modifying the validation logic to properly respect empty allowedTags and allowedAttributes configurations.