Description
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <img\nsrc=x\nonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. Exploitation is possible for applications that both render attacker-controlled strings via {{ x | strip_html }} to defend against HTML injection and do not separately HTML-escape that output (default behavior — outputEscape is unset by default). This issue has been fixed in version 10.26.0.
Published: 2026-06-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LiquidJS used by Shopify and GitHub Pages uses a strip_html filter to remove HTML tags from strings before rendering. The filter’s regular expression contains a catch‑all branch (<.*?>) that fails to match line terminators. As a result, any tag containing a newline or carriage‑return character passes through the filter unchanged. An attacker who can inject a newline within a tag, for example <img\nsrc=x\nonerror=alert(1)>, bypasses the intended sanitization. Because browsers treat newlines as whitespace inside tags, the embedded event handler is executed when the malicious markup is rendered. The vulnerability is exploitable in applications that render attacker‑controlled strings through {{ x | strip_html }} and do not separately HTML‑escape that output, which is the default behavior when outputEscape is unset.

Affected Systems

The flaw affects any system that incorporates the harttle:liquidjs library, specifically all releases 10.25.7 and earlier. Upgrading to release 10.26.0 or later fixes the issue.

Risk and Exploitability

Organizations using LiquidJS face a medium‑risk XSS exposure. The CVSS score of 6.1 reflects this moderate severity, and an EPSS score of < 1 % indicates a very low but non‑zero probability of exploitation. The vulnerability is exploitable when user‑controlled strings are filtered through {{ x | strip_html }} without subsequent HTML‑escaping. Because the filter fails to block tags containing line terminators, an attacker can embed newline characters in the tag, causing browsers to execute injected event handlers. The issue is not listed in CISA KEV, but it can still be leveraged by attackers in environments that rely on strip_html for sanitization.

Generated by OpenCVE AI on June 18, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LiquidJS library to version 10.26.0 or later where the strip_html filter bug is corrected.
  • Configure LiquidJS to enable outputEscape (set outputEscape: true) so that all output is additionally HTML‑escaped during rendering.
  • If an upgrade cannot be performed immediately, remove or disable use of strip_html for untrusted user input and replace it with a dedicated HTML sanitizer or standard escape functions.

Generated by OpenCVE AI on June 18, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2qv6-9wx5-cwv4 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
History

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <img\nsrc=x\nonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. Exploitation is possible for applications that both render attacker-controlled strings via {{ x | strip_html }} to defend against HTML injection and do not separately HTML-escape that output (default behavior — outputEscape is unset by default). This issue has been fixed in version 10.26.0.
Title LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Harttle Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T13:09:26.903Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44644

cve-icon Vulnrichment

Updated: 2026-06-18T13:09:21.706Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:15:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')