Lissy93

**Name of the Vulnerable Software and Affected Versions** Express XSS Sanitizer versions prior to 2.0.2 Express XSS Sanitizer versions 4.x and 5.x **Description** Express XSS Sanitizer, middleware for Express 4.x and 5.x, sanitizes user input data in `req.body`, `req.query`, `req.headers`, and `req.params` to prevent Cross-Site Scripting (XSS) attacks. A flaw exists where restrictive sanitization configurations are silently ignored. Specifically, when `allowedTags` is set to an empty array (`[]`) and `allowedAttributes` is set to an empty object (`{}`), the library incorrectly falls back to default permissive settings instead of stripping all HTML tags and attributes. This allows a wide range of HTML elements and attributes, such as `<a href="...">` and `<div>`, to be injected. The issue stems from validation logic that incorrectly interprets empty configurations as not provided, leading to a mismatch between developer intent and actual behavior. The vulnerable component is the sanitization logic within the library. **Recommendations** Versions prior to 2.0.2: Upgrade to version 2.0.2 or later to ensure that explicitly provided empty configurations for `allowedTags` and `allowedAttributes` are respected.