logo
DATABASE RESOURCES PRICING ABOUT US

XSS in Bleach when noscript and raw tag whitelisted

Description

### Impact A [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with `noscript` and a raw tag (see below) in the allowed/whitelisted tags option. ### Patches v3.1.1 ### Workarounds * modify `bleach.clean` calls to not whitelist `noscript` and one or more of the following raw tags: ``` title textarea script style noembed noframes iframe xmp ``` * A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk. ### References * https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 * https://cure53.de/fp170.pdf * https://nvd.nist.gov/vuln/detail/CVE-2020-6802 * https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach ### Credits * Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx ### For more information If you have any questions or comments about this advisory: * Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues) * Email us at [security@mozilla.org](mailto:security@mozilla.org)


Affected Software


CPE Name Name Version
bleach 0.1
bleach 0.1.1
bleach 0.1.2
bleach 0.2
bleach 0.2.1
bleach 0.2.2
bleach 0.3
bleach 0.3.1
bleach 0.3.3
bleach 0.3.4
bleach 0.5.0
bleach 0.5.1
bleach 1.0.0
bleach 1.0.1
bleach 1.0.2
bleach 1.0.3
bleach 1.0.4
bleach 1.1.0
bleach 1.1.1
bleach 1.1.2
bleach 1.1.3
bleach 1.1.4
bleach 1.1.5
bleach 1.2
bleach 1.2.1
bleach 1.2.2
bleach 1.4
bleach 1.4.1
bleach 1.4.2
bleach 1.4.3
bleach 1.5.0
bleach 2.0.0
bleach 2.1
bleach 2.1.1
bleach 2.1.2
bleach 2.1.3
bleach 2.1.4
bleach 3.0.0
bleach 3.0.1
bleach 3.0.2
bleach 3.1.0

Related