CVE-2020-7691 Security Vulnerability Issue

[parithibang]

With the latest version of jspdf:2.5.1 integrated into the project getting security vulnerability issue

CVE-2020-7691 EPSS: 0.17%CVSS: 6.1
In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7691
• https://nvd.nist.gov/vuln/detail/CVE-2020-7691

Will there be a fix for this provided?

[eKoopmans]

Hey @parithibang, copying my response from eKoopmans/html2pdf.js#677:

Thanks for the heads up!

The good news is that the fromHTML method reported in CVE-2020-7691 no longer exists in jsPDF:

• It was deprecated in 2018 and removed sometime after that
• It's not defined on a jsPDF object
• The replacement html method is actually just a clone of htmlpdf.js (fun with recursion 🙃)

I think this should be safe to close, but I'll leave that to the judgment of @parallax.

[github-actions]

This issue is stale because it has been open 90 days with no activity. It will be closed soon. Please comment/reopen if this issue is still relevant.