CVE-2021-26540

Name of the Vulnerable Software and Affected Versions sanitize-html versions prior to 2.3.2

Description The issue arises from improper validation of hostnames set by the allowedIframeHostnames option when allowIframeRelativeUrls is set to true. This allows attackers to bypass the hostname whitelist for iframe elements by using an src value that starts with "/example.com".

Recommendations For versions prior to 2.3.2, update to version 2.3.2 or later to resolve the issue. As a temporary workaround, consider setting allowIframeRelativeUrls to false to prevent the bypass of the hostname whitelist. Restrict access to iframe elements with src values starting with "/example.com" to minimize the risk of exploitation.