Snyk Security Database

apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via color values passed to the @apostrophecms/color-field module. An attacker can cause execution of JavaScript in the browsers of visitors to affected pages by injecting values after -- as the color parameter, or after a closing </style> tag as a widget style.

justhtml is an A pure Python HTML5 parser that just works.

Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data (MAID) through the sanitize(), sanitize_dom(), and JustHTML(..., sanitize=True) paths in src/justhtml/sanitize.py. An attacker can bypass intended HTML filtering by mutating nested policy state, such as allowed_attributes or url_policy.allow_rules after a sanitizer has been compiled, causing later sanitization calls to keep using a previously compiled, more permissive policy and preserve dangerous markup or URLs. The same issue affects exported default policy objects process-wide, so weakening DEFAULT_POLICY.url_policy.allow_rules[("a", "href")].allowed_schemes can alter subsequent default sanitization and let malicious links survive in user-visible output.

Note: The maintainer aggregated multiple security fixes into one advisory; a detailed explanation of the individual impacts is detailed in the maintainer's advisory.

org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADD_TAGS over FORBID_TAGS in _sanitizeElements(). In an application where ADD_TAGS is used as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) and FORBID_TAGS is in use, an attacker can cause forbidden tags to be allowed.