CVE-2013-7454

Name of the Vulnerable Software and Affected Versions: validator versions prior to 1.1.0

Description: The issue allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. Several cross-site scripting vulnerabilities are present due to bypasses discovered in the blacklist-based filter. This includes improper parsing of nested tags, incomplete filtering of javascript: URIs, and UI Redressing. Various inputs that could bypass the filter were discovered, including bypass via nested forbidden strings.

Recommendations: For versions prior to 1.1.0, consider replacing the xss filter function from the validator package with the escape filter function from the same package, as it replaces all instances of angle brackets, ampersands, and quotation marks, preventing HTML tags from being processed.