Attack Chain

1. The attacker crafts malicious HTML containing JavaScript code wrapped within an <xmp> tag (e.g., <xmp><script>alert(1)</script></xmp>).
2. The application utilizes sanitize-html version 2.17.3 or earlier with default settings to sanitize the malicious HTML.
3. Due to the omission of xmp from the nonTextTags list, sanitize-html does not treat the xmp tag as a container to be completely discarded.
4. The ontext handler in sanitize-html appends the content within the xmp tag directly to the output without proper escaping.
5. The sanitized output, still containing the unescaped JavaScript code from within the <xmp> tag, is stored in the application’s database or displayed to other users.
6. When a user views the stored or displayed content, the browser renders the unescaped JavaScript code within the now-live HTML structure.
7. The attacker’s JavaScript code executes in the user’s browser, potentially stealing sensitive information, performing actions on behalf of the user, or defacing the application.

Impact

This XSS vulnerability allows a remote attacker to inject arbitrary JavaScript into a user’s browser. Successful exploitation can lead to session hijacking, sensitive data theft, account takeover, and defacement of the application. Applications that rely on sanitize-html for input sanitization and render the output as trusted HTML are vulnerable. The severity is rated as critical due to the ease of exploitation and potential impact.

Recommendation

• Upgrade to sanitize-html version 2.18.0 or later, where this vulnerability is resolved.
• As a temporary workaround, configure sanitize-html to explicitly disallow the xmp tag or to escape its content.
• Deploy the Sigma rule Detect sanitize-html XSS via XMP Tag Bypass to identify exploitation attempts (process_creation).
• Review and update any existing sanitization configurations to ensure that potentially dangerous tags are properly handled.