Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Passing in a non-string 'html' argument can lead to unsanitized output
Vulnerability Description
The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause `striptags` to concatenate unsanitized strings when an array-like object is passed in as the `html` parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
非预期数据类型处理不恰当
Vulnerability Title
striptags 安全漏洞
Vulnerability Description
striptags是一个软件包。 striptags 存在安全漏洞,该漏洞源于在3.2.0版本之前的striptags中,当一个类似数组的对象作为 html 参数传入时,类型混淆漏洞会导致 striptags 连接未经处理的字符串。攻击者可利用该漏洞输入的形状,查询参数被直接传递到函数中,这可能导致XSS。
CVSS Information
N/A
Vulnerability Type
N/A