CVE-2017-16016

Name of the Vulnerable Software and Affected Versions: sanitize-html versions 1.11.1 and below

Description: The issue concerns a cross-site scripting (XSS) vulnerability in certain scenarios. When at least one non-text tag is allowed, the result is a potential XSS vulnerability. This occurs when the allowedTags parameter includes at least one nonTextTag. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations: For versions 1.11.1 and below, update to version 1.11.4 or later. As a temporary workaround, consider restricting the use of the allowedTags parameter to exclude nonTextTags until a patch is available. Avoid using the allowedTags parameter with nonTextTags in the affected API endpoint until the issue is resolved.