HTML-to-text is a Node.js package designed to convert HTML content into a readable plain text format. Versions 1.2.1 and 1.3.0 share a common foundation, offering developers a robust solution for extracting text from HTML documents, a crucial task for applications like email processing, content analysis, and generating accessible content. Both versions list the same core dependencies: htmlparser for parsing the HTML, underscore and underscore.string for utility functions, and optimist for command-line argument parsing. The developer dependencies, chai, install, and mocha, remain consistent, indicating a stable testing and development environment.
The key difference lies in the release date. Version 1.3.0 was released on April 7, 2015, approximately a month after version 1.2.1, which was released on March 2, 2015. While the metadata doesn't explicitly outline the specific changes introduced in 1.3.0, the updated release date suggests potential bug fixes, performance improvements, or minor feature enhancements. Developers considering an upgrade should investigate the changelog or commit history on the GitHub repository (git://github.com/werk85/node-html-to-text.git) to understand the precise modifications made between these versions. Given the relatively short time span between releases, the updates are likely incremental, focusing on stability and refinement of the existing functionality. This library allows developers to effortlessly transform complex HTML structures into clean, readable text, enhancing the accessibility and usability of their applications.
All the vulnerabilities related to the version 1.3.0 of the package
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
