HTML Injection in preact
Moderate severity
GitHub Reviewed
Published
Sep 2, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Package
Affected versions
>= 10.0.0-alpha.0, <= 10.0.0-beta.0
Patched versions
10.0.0-beta.1
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 2, 2020
Last updated
Jan 9, 2023
Versions of
preact10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed withJSON.parse()to be passed directly into JSX without sanitization.Recommendation
Upgrade to version 10.0.0-beta.1.
References