[jira] [Commented] (ATLAS-5298) Atlas React UI: Fix Critical XSS Vulnerability in sanitize-html dependency

ASF subversion and git services (Jira) Fri, 29 May 2026 00:10:07 -0700


    [ 
https://issues.apache.org/jira/browse/ATLAS-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18084271#comment-18084271
 ]


ASF subversion and git services commented on ATLAS-5298:
--------------------------------------------------------

Commit 4694a8cc1e5362cb1bbc13c7da7e14337a27fe03 in atlas's branch 
refs/heads/atlas-2.6 from Brijesh Bhalala
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=4694a8cc1 ]

ATLAS-5298: Atlas-React UI: Fix Critical XSS Vulnerability in sanitize-html 
dependency (#641)

( cherry-picked from commit 079e44c9e6d72819a4a89041f562f8528119f86a)


> Atlas React UI: Fix Critical XSS Vulnerability in sanitize-html dependency
> --------------------------------------------------------------------------
>
>                 Key: ATLAS-5298
>                 URL: https://issues.apache.org/jira/browse/ATLAS-5298
>             Project: Atlas
>          Issue Type: Task
>          Components:  atlas-core
>    Affects Versions: 2.5.0
>            Reporter: Brijesh Bhalala
>            Assignee: Brijesh Bhalala
>            Priority: Major
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> h4. *Problem*
> A critical security vulnerability has been identified in the 
> {{sanitize-html}} library used in the project.
> Current affected versions:
>  * {{sanitize-html <= 2.17.3}}
> Issue:
>  * Vulnerability allows *Cross-Site Scripting (XSS)* via {{xmp}} raw-text 
> passthrough handling.
>  * This can potentially allow attackers to inject malicious scripts into 
> sanitized HTML content.
>  * Severity: *CRITICAL*
> This impacts any feature where user-generated HTML is sanitized before 
> rendering.
> ----
> h4. *Impact*
> If exploited, this vulnerability may lead to:
>  * Execution of malicious JavaScript in the browser
>  * Session hijacking or token theft
>  * UI manipulation / phishing attacks inside the application
>  * Compromise of user data in frontend context
> ----
> h4. *Root Cause*
> The {{sanitize-html}} dependency allows unsafe handling of certain raw-text 
> HTML tags (like {{{}xmp{}}}), leading to improper sanitization and script 
> injection risk.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (ATLAS-5298) Atlas React UI: Fix Critical XSS Vulnerability in sanitize-html dependency

Reply via email to