CVE-2025-29771: Cross-Site Scripting (XSS) Vulnerability in HtmlSanitizer
Executive Summary
CVE-2025-29771 is a cross-site scripting (XSS) vulnerability affecting versions of the HtmlSanitizer library prior to 2.0.3. HtmlSanitizer is a JavaScript library used to sanitize HTML content, often employed in scenarios where user-generated content is rendered in web applications. The vulnerability arises when the library is used in conjunction with a contentEditable element, allowing an attacker to execute arbitrary JavaScript code by abusing the library's post-sanitization beautification process. This issue has been classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
The vulnerability has a CVSS v4.0 base score of 5.3 (Medium), with a low attack complexity and no privileges required for exploitation. The issue has been patched in version 2.0.3 of the library. Users are strongly advised to update to the latest version to mitigate the risk.
Technical Details
Affected Systems
The vulnerability specifically impacts the following:
- Library: HtmlSanitizer
- Affected Versions: All versions prior to 2.0.3
- Patched Version: 2.0.3
- Environment: Web applications using HtmlSanitizer in conjunction with
contentEditableelements.
Vulnerable Component
The vulnerability lies in the HtmlSanitizer.js file, particularly in the code responsible for beautifying sanitized HTML. When sanitizing content for contentEditable elements, the library performs additional beautification steps on the sanitized string. One such step involves replacing <br> tags with a newline character (\n) to improve readability. This beautification process inadvertently introduces an XSS vector when crafted malicious input is provided.
Root Cause Analysis
The root cause of the vulnerability is the improper handling of <br> tags during the post-sanitization beautification process. Specifically, the following line in HtmlSanitizer.js is responsible:
.replace(/<br[^>]*>(\S)/g, "<br>\n$1")
Explanation of the Code
-
Regex Breakdown:
/- Delimiters for the regular expression.<br[^>]*>- Matches a<br>tag with optional attributes.(\S)- Captures a non-whitespace character immediately following the<br>tag.g- Global flag to apply the replacement to all matches.
-
Replacement:
- Replaces the matched
<br>tag with<br>\nfollowed by the captured non-whitespace character.
- Replaces the matched
While this replacement is intended to improve code readability, it inadvertently allows an attacker to inject malicious payloads that bypass the sanitizer. For instance, a crafted input like <br><img src=x onerror=alert(1)> could exploit this behavior.
Vulnerable Workflow
- User input is sanitized using HtmlSanitizer.
- The sanitized string undergoes beautification, where
<br>tags are replaced. - Malicious payloads crafted to exploit this beautification step are reintroduced into the sanitized content.
Patch Analysis
The vulnerability was addressed in commit af6d2a7. The patch removes the problematic beautification step entirely. Below is the relevant diff:
@@ -92,7 +92,6 @@ const HtmlSanitizer = new (function () {
let resultElement = makeSanitizedCopy(doc.body);
return resultElement.innerHTML
- .replace(/<br[^>]*>(\S)/g, "<br>\n$1")
.replace(/div><div/g, "div>\n<div"); //replace is just for cleaner code
}
Line-by-Line Explanation
-
Removed Line:
.replace(/<br[^>]*>(\S)/g, "<br>\n$1")- This line was responsible for replacing
<br>tags with<br>\nand introducing the XSS vulnerability. By removing this line, the beautification step no longer processes<br>tags, eliminating the attack vector.
- This line was responsible for replacing
-
Remaining Code:
.replace(/div><div/g, "div>\n<div");- This line remains unchanged and continues to improve readability by adding newlines between
<div>tags.
- This line remains unchanged and continues to improve readability by adding newlines between
The patch is minimal but effective, as it directly removes the vulnerable functionality without impacting other features of the library.
Exploitation Techniques
Proof-of-Concept (PoC)
An attacker can exploit this vulnerability by crafting malicious HTML input that abuses the <br> beautification process. Below is a step-by-step PoC:
-
Setup:
- Use HtmlSanitizer to sanitize user input for a
contentEditableelement.
- Use HtmlSanitizer to sanitize user input for a
-
Malicious Input:
<br><img src=x onerror=alert(1)> -
Sanitization:
- The input is sanitized, but the
<br>beautification step reintroduces the malicious payload.
- The input is sanitized, but the
-
Execution:
- When the sanitized content is rendered in a
contentEditableelement, theonerrorattribute of the<img>tag is executed, triggering the XSS payload.
- When the sanitized content is rendered in a
Real-World Impact
This vulnerability could be exploited in scenarios where:
- User-generated content is sanitized and rendered in
contentEditableelements. - Applications rely on HtmlSanitizer for XSS protection but fail to update to the patched version.
Potential consequences include:
- Theft of sensitive user data (e.g., session cookies).
- Unauthorized actions performed on behalf of the user.
- Defacement of web pages.
Mitigation Strategies
To mitigate the risk of exploitation, consider the following recommendations:
-
Update to Version 2.0.3:
- Upgrade to the latest version of HtmlSanitizer, where the vulnerability has been patched.
-
Avoid Using
contentEditable:- If possible, avoid using
contentEditableelements, as they are inherently prone to XSS vulnerabilities.
- If possible, avoid using
-
Input Validation:
- Implement server-side input validation to complement client-side sanitization.
-
Content Security Policy (CSP):
- Deploy a strict CSP to prevent the execution of unauthorized scripts.
-
Regular Dependency Audits:
- Regularly audit third-party libraries for known vulnerabilities and apply patches promptly.
Timeline of Discovery and Disclosure
| Date | Event |
|---|---|
| March 14, 2025 | Vulnerability reported and advisory published by GitHub. |
| March 14, 2025 | Patch released in version 2.0.3 of HtmlSanitizer. |
| March 14, 2025 | CVE-2025-29771 assigned and publicly disclosed. |
References
- GitHub Security Advisory
- Commit Fixing the Vulnerability
- CWE-79: Cross-site Scripting
- NVD Entry for CVE-2025-29771
By addressing this vulnerability promptly and following the mitigation strategies outlined above, developers can ensure the security of their applications and protect users from potential XSS attacks.