Posts Tagged ‘recursive’

sanitize-html-react Vulnerability

21 Nov 2020


At work, we tend to test our near-complete features internally as a team to capture any bugs before they are shipped to customers. We call this process a ‘blitz’ and it has successfully caught many bugs for us that can be addressed before shipping a feature.

In this case, I was testing a sanitization library we had used to sanitize some use provided input (as HTML) called sanitize-html-react. After testing some common payloads from the OWASP XSS Cheat Sheet I discovered the library was flawed.

This library was selected because it was already in use in other parts of the codebase. For this reason, we believed it to be safe as we assumed it has passed the required security checks and standards we have set in place. However, in this case, it wasn’t.

sanitize-html-react library

The sanitize-html-react library is a fork at some point in time off the sanitize-html library.
However, it has no dependencies on sanitize-html and therefore it will not benefit from security updates.
The sanitize-html library is actively maintained where as sanitize-html-react library has not been updated for more than four years!

sanitize-html-react Github Repo

Proof of Concept

The discovered bug was found using the recursive XSS payload above.
The above config states we should discard all tags (as allowedTags list is empty).
In the above example the inner <u> in <<u>u>underlined is stripped away which forms a new <u> element resulting in the final string <u>underlined.

The same concept can be used to render <script> tags (or any other tag).

External Usage

Many open-source public repositories are or have used this library, potentially opening themselves up to security vulnerabilities.


An issue has been created on the Github repo here:

Proposed Solutions

✅ sanitize-html

Replace package with sanitize-html (
This is a maintained, up to date, drop-in replacement.

✅ DOMPurify

Replace package with DOMPurify (
Popular and maintained XSS sanitizer.

✅ lodash.escape

Consider using Lodash escape ( if you were only using sanitize-html-react in escape mode.

No Comments

Posted in XSS


HACKvent 2015: Day 10

10 Dec 2015
CTF: Hackvent 2015
Link to challenge:
Date Completed: 10 December 2015


The following zip file was also provided: Download ZIP File


We notice that the zip file contains one zip file called, that contains one zip file called and so on. I also know that the file zile will keep getting lower and lower in file size the more we extract (due to ZIP headers and padding). Furthermore, opening the file in HxD (the hex editor) allows us to see the names of all embedded zip files. We see the number among many others so we know there are a lot of files here!

We write a quick python script to recursively extract each zip file.

Finally we reach the zip file: which is different from all of the other files.
This zip file contains one file called worst.500 and is password protected.

We use the glorious Accent Zip Password Recovery to crack the password in milliseconds.

The password for the zip file is: love

We extract the file, look inside and find the flag!

Flag:  HV15-iQYf-adNg-o4S9-JHc7-vfWu

No Comments

Posted in Hackvent 2015