XSS Vulnerability "HIGH" due to default escapeHtml=false setting

[nmg196]

The default behaviour of toastr is that html displayed is not encoded.

So this code causes a browser popup:

var msg = 'Hello <script>alert("Danger!")</sc' + 'ript>';
toastr.success("Example <strong>Message</strong> " + msg);

There is a setting which controls this called "escapeHtml". However because this 'fix' is opt-in rather than the default behaviour, it gets flagged in pen tests and security scans as an unfixed HIGH vulnerability.
See: https://security.snyk.io/vuln/SNYK-JS-TOASTR-2396430

Is there no way that escapeHtml = true is the default, and you have to opt in to use HTML instead? Otherwise this library will be permanently flagged as having an XSS vulnerability - category "HIGH", which means it can't be used on many projects.

This would have to be through a new release as current release 2.1.4 is regarded as vulnerable (HIGH) in security scanners:

[peterlaws]

Is this project dead? This issue has been ignored?

[Jacob-Lockwood]

@peterlaws Yes it seems to be dead--the latest release was made in 2018

[peterlaws]

Anyone found a decent similar replacement?

[lucasrochadejesus]

Anyone found a decent similar replacement? [2]

[NkazimuloMvundla]

yes, https://apvarun.github.io/toastify-js/#