OCPBUGS-92088: Fix CVE-2026-44990 sanitize-html stored XSS via HTML sanitizer bypass#16707
OCPBUGS-92088: Fix CVE-2026-44990 sanitize-html stored XSS via HTML sanitizer bypass#16707jrangelramos wants to merge 1 commit into
Conversation
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-92088, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThe ChangesDependency Update
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jrangelramos The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
…anitizer bypass Bump sanitize-html from 2.3.2 to 2.17.5 to fix a stored cross-site scripting vulnerability where attacker-controlled content inside a disallowed xmp element can be turned into live HTML or JavaScript under the default discard mode. Version 2.17.4 patches the issue. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
6a68cc8 to
bc8a15b
Compare
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-92088, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
frontend/package.json (1)
222-222: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueConsider pinning an exact version instead of a caret range.
The
^2.17.4range permits automatic minor/patch updates within 2.x, which could pull in unvetted future releases without an explicit review. As per path instructions forpackage*.jsonfiles, "Pin exact versions; verify hashes where supported."♻️ Proposed fix
- "sanitize-html": "^2.17.4", + "sanitize-html": "2.17.4",🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@frontend/package.json` at line 222, The package.json dependency entry for sanitize-html is using a caret range, which should be pinned to an exact version per the package*.json policy. Update the sanitize-html declaration in the frontend package manifest to a fixed release version instead of ^2.17.4, and keep this dependency aligned with any lockfile or hash verification used in the project.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@frontend/package.json`:
- Line 222: The package.json dependency entry for sanitize-html is using a caret
range, which should be pinned to an exact version per the package*.json policy.
Update the sanitize-html declaration in the frontend package manifest to a fixed
release version instead of ^2.17.4, and keep this dependency aligned with any
lockfile or hash verification used in the project.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 75f955b2-7eaa-4233-a848-7f52a7d6acfc
⛔ Files ignored due to path filters (1)
frontend/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
frontend/package.json
|
@jrangelramos: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Analysis / Root cause
sanitize-htmlversions prior to 2.17.4 can turn attacker-controlled content inside a disallowedxmpelement into live HTML or JavaScript (CVE-2026-44990). This is a sanitizer bypass in the defaultdisallowedTagsMode: 'discard'path and can lead to stored XSS in applications that render sanitized output back to users.The package is a direct dependency of the console frontend at version 2.3.2.
Solution description
Bump
sanitize-htmlfrom 2.3.2 to 2.17.5 infrontend/package.json. Version 2.17.4 patches the vulnerability; 2.17.5 is the latest 2.x release.The only source-code consumer is
MarkdownView.tsx, which uses the standardsanitizeHtml()API — no breaking changes in this major-version-compatible bump.Screenshots / screen recording
N/A — dependency version bump only, no visual changes.
Test setup
No special setup required.
Test cases
yarn installcompletes without errorswebpack --mode=development) succeedsBrowser conformance
N/A — no runtime behavior changes beyond the security fix.
Additional info
Summary by CodeRabbit