Cross-site scripting in Bleach


### Impact A [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of: * `svg` or `math` in the allowed tags * `p` or `br` in allowed tags * `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` in allowed tags * the keyword argument `strip_comments=False` Note: none of the above tags are in the default allowed tags and `strip_comments` defaults to `True`. ### Patches Users are encouraged to upgrade to bleach v3.3.0 or greater. Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default. ### Workarounds * modify `bleach.clean` calls to at least one of: * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag * not allow `svg` or `math` tags * not allow `p` or `br` tags * set `strip_comments=True` * A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk. ### References * https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 * https://advisory.checkmarx.net/advisory/CX-2021-4303 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980 * https://cure53.de/fp170.pdf ### Credits * Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx * Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by [Michał Bentkowski](https://twitter.com/SecurityMB) at Securitum ### For more information If you have any questions or comments about this advisory: * Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues) * Email us at [security@mozilla.org](mailto:security@mozilla.org)

Affected Software

CPE Name Name Version
bleach 3.3.0