Vulnerability Description
HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3.
Related Weaknesses (CWE)
References
- https://github.com/jitbit/HtmlSanitizer/commit/af6d2a78877e7277cd01c825b7fb50edb
- https://github.com/jitbit/HtmlSanitizer/security/advisories/GHSA-vhv4-fh94-jm5x
FAQ
What is CVE-2025-29771?
CVE-2025-29771 is a documented vulnerability. HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerH...
How severe is CVE-2025-29771?
CVSS scoring is not yet available for CVE-2025-29771. Check NVD for updates.
Is there a patch for CVE-2025-29771?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.