Cross-Site Scripting in bleach

2020-09-03T17:13:45
ID GHSA-5634-RV46-48JF
Type github
Reporter GitHub Advisory Database
Modified 2020-09-03T17:13:45

Description

All versions of bleach are vulnerable to Cross-Site Scripting. It is possible to bypass the package's HTML sanitization with payloads such as "<<script><</script>script>alert('xss');</<script><</script>script>" regardless of the passed options. This may allow attackers to execute arbitrary JavaScript in the victim's browser.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.