The validator module prior to 1.1.0 for Node.js allows remote malicious users to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
nodejs node.js