`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| sanitize-html(npm) | 0 | 2.0.0-beta | N/A |
CVSS Metrics
