Impact
A mutation XSS affects users calling bleach.clean with all of:
svg or math in the allowed tagsp or br in allowed tagsstyle, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags- the keyword argument
strip_comments=False
Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
References
Credits
- Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
- Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by Michał Bentkowski at Securitum
For more information
If you have any questions or comments about this advisory:
Impact
A mutation XSS affects users calling
bleach.cleanwith all of:svgormathin the allowed tagsporbrin allowed tagsstyle,title,noscript,script,textarea,noframes,iframe, orxmpin allowed tagsstrip_comments=FalseNote: none of the above tags are in the default allowed tags and
strip_commentsdefaults toTrue.Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
modify
bleach.cleancalls to at least one of:style,title,noscript,script,textarea,noframes,iframe, orxmptagsvgormathtagsporbrtagsstrip_comments=TrueA strong Content-Security-Policy without
unsafe-inlineandunsafe-evalscript-srcs) will also help mitigate the risk.References
Credits
For more information
If you have any questions or comments about this advisory: