OPENSUSE-SU-2026:20345-1 Security update for python-lxml_html_clean

This update for python-lxmlhtmlclean fixes the following issues: Changes in python-lxmlhtmlclean: - CVE-2026-28348: improper keywords checking can allow external CSS loading bsc1259378 - CVE-2026-28350: lack of base tag handling can allow the hijacking of the resolution of relative URLs bsc125937...

SUSE CVE-2026-28348

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.4, the hassneakyjavascript method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression filters,...

CVE-2026-28348 lxml_html_clean: CSS @import Filter Bypass via Unicode Escapes

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.4, the hassneakyjavascript method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression filters,...

lxml-html-clean has CSS @import Filter Bypass via Unicode Escapes

Summary The hassneakyjavascript method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression filters, allowing external CSS loading or XSS in older browsers. Details The root cause is located in clean.py around...