html-janitor node module suffers from an External Control of Critical State Data vulnerability via user-control of the '_sanitized' variable causing sanitization to be bypassed.

Bypassing Sanitization using DOM clobbering in html-janitor