An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by “j a v a s c r i p t:” in Internet Explorer. This is a similar issue to CVE-2014-3146.
CPE | Name | Operator | Version |
---|---|---|---|
lxml | eq | lxml-2.0alpha1 | |
lxml | eq | lxml-4.2.3-win | |
lxml | eq | lxml-1.0.beta | |
lxml | eq | lxml-3.6.3 | |
lxml | eq | lxml-2.3beta1 | |
lxml | eq | lxml-2.1 | |
lxml | eq | lxml-3.5.0 | |
lxml | eq | lxml-3.3.6 | |
lxml | eq | lxml-1.1 | |
lxml | eq | lxml-3.3.1 |