Create advisory to raise awareness of previously fixed sanitisation bypasses #28
Comments
the-cartographer
changed the title
|
Hi @jplukarski and @oscarleonnogales 👋 Just tagging you for visibility of the above comment as the two most recent contributors - is this project still being actively maintained? Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey team, hope you're well!
Back in #19, @crookedneighbor helped patch some bypasses in the sanitisation logic for
inject-stylesheetAlthough this was quite some time ago, looking at https://www.npmjs.com/package/inject-stylesheet?activeTab=versions it seems there have still been ~36,000 downloads of the old vulnerable v4.0.0 of the library over the last 7 days.
To give developers the best chance of realising they might be running an old unpatched version (via Dependabot, Snyk,
npm-audit, etc), can we raise a security advisory for the sanitisation bypasses that have been fixed previously?https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory
The text was updated successfully, but these errors were encountered: