logo
DATABASE RESOURCES PRICING ABOUT US

Cross-site scripting in Bleach

Description

### Impact A [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of: * `svg` or `math` in the allowed tags * `p` or `br` in allowed tags * `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` in allowed tags * the keyword argument `strip_comments=False` Note: none of the above tags are in the default allowed tags and `strip_comments` defaults to `True`. ### Patches Users are encouraged to upgrade to bleach v3.3.0 or greater. Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default. ### Workarounds * modify `bleach.clean` calls to at least one of: * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag * not allow `svg` or `math` tags * not allow `p` or `br` tags * set `strip_comments=True` * A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk. ### References * https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 * https://advisory.checkmarx.net/advisory/CX-2021-4303 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980 * https://cure53.de/fp170.pdf ### Credits * Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx * Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by [Michał Bentkowski](https://twitter.com/SecurityMB) at Securitum ### For more information If you have any questions or comments about this advisory: * Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues) * Email us at [security@mozilla.org](mailto:security@mozilla.org)


Affected Software


CPE Name Name Version
bleach 0.1
bleach 0.1.1
bleach 0.1.2
bleach 0.2
bleach 0.2.1
bleach 0.2.2
bleach 0.3
bleach 0.3.1
bleach 0.3.3
bleach 0.3.4
bleach 0.5.0
bleach 0.5.1
bleach 1.0.0
bleach 1.0.1
bleach 1.0.2
bleach 1.0.3
bleach 1.0.4
bleach 1.1.0
bleach 1.1.1
bleach 1.1.2
bleach 1.1.3
bleach 1.1.4
bleach 1.1.5
bleach 1.2
bleach 1.2.1
bleach 1.2.2
bleach 1.4
bleach 1.4.1
bleach 1.4.2
bleach 1.4.3
bleach 1.5.0
bleach 2.0.0
bleach 2.1
bleach 2.1.1
bleach 2.1.2
bleach 2.1.3
bleach 2.1.4
bleach 3.0.0
bleach 3.0.1
bleach 3.0.2
bleach 3.1.0
bleach 3.1.1
bleach 3.1.2
bleach 3.1.3
bleach 3.1.4
bleach 3.1.5
bleach 3.2.0
bleach 3.2.1
bleach 3.2.2
bleach 3.2.3

Related