defuddle is vulnerable to Cross-Site Scripting (XSS)
82
High Risk
Several site extractors in defuddle build their output HTML by interpolating untrusted DOM attribute values, such as an image alt, an image src, or a video description read directly off the page, into template-literal strings without escaping. A value containing a quote character closes the attribute and injects new attributes, producing a live event handler or a javascript: URL. Extractor output is returned without passing through the DOM-based sanitizer used elsewhere, so the injected markup reaches the consumer as executable HTML and runs in the browser. The fix routes all extractor output through a central sanitizer that strips unsafe elements and escapes the interpolated values at each sink.
You are affected if you are using a version that falls within the vulnerable range and your application extracts and renders content from untrusted pages using the affected site extractors.
defuddle is vulnerable to Cross-Site Scripting (XSS) in versions 0.1.0 - 0.19.0.
Upgrade the defuddle library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant