sanitize-html v1.11.4 Release Notes
fixed crash when
__proto__is a tag name. Now using a safe check for the existence of properties in all cases. Thanks to Andrew Krasichkov.
🛠 Fixed XSS attack vector via
textareatags (when explicitly allowed). Decided that
style(due to its own XSS vectors) cannot realistically be afforded any XSS protection if allowed, unless we add a full CSS parser. Thanks again to Andrew Krasichkov.