CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-2qv6-9wx5-cwv4: LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

mediumCVSS 6.1CVE-2026-44644
Summary The strip_html filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <img\nsrc=x\nonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. This results in stored or reflected XSS in any application that relies on strip_html to neutralize untrusted HTML. Details The vulnerable code is in src/filters/html.ts: // src/filters/html.ts:45-49 export function strip_html (this: FilterImpl, v: string) { const str = stringify(v) this.context.memoryLimit.use(str.length) return str.replace(/<script[\s\S]*?<\/script>|<style[\s\S]*?<\/style>|<.*?>|<!--[\s\S]*?-->/g, '') } The regex has four alternations: 1. <script[\s\S]*?<\/script> — uses [\s\S], matches across newlines. 2. <style[\s\S]*?<\/style> — uses [\s\S], matches across newlines. 3. <.*?> — uses ., which in JavaScript does not match \n or \r (no s/dotAll flag set). 4. <!--[\s\S]*?--> — uses [\s\S], matches across newlines. Branch 3 is the catch-all for "any other tag." Because . excludes line terminators, a tag containing a newline does not match any alternative. The literal characters of the tag are passed through to the output. Browsers, however, parse HTML tag content with whitespace tolerance: per the HTML spec, attribute names and values may be separated by ASCII whitespace, which includes \n and \r. So <img\nsrc=x\nonerror=alert(1)> is parsed as a valid img element with an onerror handler. liquidjs' default rendering pipeline does not auto-escape filter output (the outputEscape engine option is undefined by default — see src/liquid-options.ts), so the unescaped HTML is delivered verbatim to the consumer's HT

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.1
Published
2026-05-27
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-2qv6-9wx5-cwv4

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-44644coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories