CVE-2025-29771: 
JavaScript vulnerability analysis and mitigation

HtmlSanitizer, a client-side HTML Sanitizer, was found to contain a cross-site scripting (XSS) vulnerability in versions prior to 2.0.3. The vulnerability was discovered on March 14, 2025, and affects scenarios where the sanitizer is used with a contentEditable element to set the elements innerHTML to a sanitized string produced by the package (NVD, GitHub Advisory).

The vulnerability stems from the code beautifier that runs after the sanitization process. When specifically crafted code is used to abuse the beautifier functionality, it can bypass the intended sanitization protections. The issue has been assigned a CVSS 4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability could allow attackers to execute cross-site scripting attacks when the sanitizer is used in conjunction with contentEditable elements. This could potentially lead to unauthorized script execution in the context of the affected web application (GitHub Advisory).

The vulnerability has been patched in HtmlSanitizer version 2.0.3. Users are advised to upgrade to this version or later to address the security issue. The fix involved removing the beautification process that was introducing the attack vector (GitHub Commit).