CVE-2014-9772

Name of the Vulnerable Software and Affected Versions validator versions prior to 2.0.0

Description The issue allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. This may result in a cross-site scripting vulnerability. The xss() function removes the word "javascript" when contained inside an attribute, but it does not properly handle cases where characters have been hex-encoded. For example, the input <a href="jav&#x61;script:...">abc</a> will render as <a href="javascript:...">abc</a>, which the browser will accept as valid JavaScript.

Recommendations For versions prior to 2.0.0, consider using an alternative package that provides similar xss filter functionality to mitigate this issue. If the xss filter feature is not currently being used, you are not affected by the vulnerability. However, if it is being used, updating to the latest version of the module will break your application. As a temporary workaround, consider disabling the xss() function until a suitable replacement or patch is available.