Skip to content

Create advisory to raise awareness of previously fixed sanitisation bypasses #28

Description

@the-cartographer

Hey team, hope you're well!

Back in #19, @crookedneighbor helped patch some bypasses in the sanitisation logic for inject-stylesheet

Although this was quite some time ago, looking at https://www.npmjs.com/package/inject-stylesheet?activeTab=versions it seems there have still been ~36,000 downloads of the old vulnerable v4.0.0 of the library over the last 7 days.

To give developers the best chance of realising they might be running an old unpatched version (via Dependabot, Snyk, npm-audit, etc), can we raise a security advisory for the sanitisation bypasses that have been fixed previously?

https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions