CVE-2023-23627

Name of the Vulnerable Software and Affected Versions Sanitize versions 5.0.0 through 6.0.1

Description Sanitize is an allowlist-based HTML and CSS sanitizer. When configured with a custom allowlist that allows noscript elements, attackers can include arbitrary HTML, resulting in cross-site scripting or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow noscript elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

Recommendations For Sanitize versions 5.0.0 through 6.0.1, upgrade to version 6.0.1 or later to resolve the issue. As a temporary workaround, consider using one of Sanitize's default configs or ensuring that your custom config does not include noscript in the element allowlist.