Affected versions of i18next
allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.
var init = i18n.init({debug: true}, function(){
var test = i18n.t('__firstName__ __lastName__', {
escapeInterpolation: true,
firstName: '__lastNameHTML__',
lastName: '<script>',
});
console.log(test);
});
// equals "<script> <script>"
Update to version 1.10.3 or later.
{ "github_reviewed_at": "2020-06-16T21:34:06Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true }