The validator module prior to 1.1.0 for Node.js allows remote malicious users to bypass the XSS filter via a nested tag.
nodejs node.js 1.0.4