Cross-Site Scripting in bleach

ID GHSA-5634-RV46-48JF
Type github
Reporter GitHub Advisory Database
Modified 2020-09-03T17:13:45


All versions of bleach are vulnerable to Cross-Site Scripting. It is possible to bypass the package's HTML sanitization with payloads such as "<<script><</script>script>alert('xss');</<script><</script>script>" regardless of the passed options. This may allow attackers to execute arbitrary JavaScript in the victim's browser.


No fix is currently available. Consider using an alternative package until a fix is made available.