Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

PT-2026-44727

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

Cross-site Scripting (XSS)

Overview symfony/html-sanitizer is a Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM. Affected versions of this package are vulnerable to Cross-site Scripting XSS via incomplete URL attribute validation in UrlAttributeSanitizer. An attacke...

Astra Linux - уязвимость в lxml

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

EUVD-2018-6836

Malware in sbrugna...

Medium: python-lxml

Issue Overview: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this...

SUSE CVE-2018-14954

The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute...

SUSE CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS

A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack XSS when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data...

python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS

A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack XSS when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data...

ALSA-2021:4158 Moderate: python-lxml security update

lxml is an XML processing library providing access to libxml2 and libxslt libraries using the Python ElementTree API. Security Fixes: python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS CVE-2021-28957 For more details about the security issues, including the...

OESA-2021-1178 python-lxml security update

The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. It is unique in that it combines the speed and XML feature completeness of these libraries with the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API. The latest...

GHSA-JQ4V-F5Q6-MJQQ lxml vulnerable to Cross-Site Scripting

An XSS vulnerability was discovered in the python lxml clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

CVE-2021-28957

A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack XSS when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data...

ALPINE-CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

SquirrelMail Cross-Site Scripting Vulnerability (CNVD-2019-19609)

SquirrelMail is a cross-platform use of PHP4 development Webmail mail system . A cross-site scripting vulnerability exists in the email message display page of SquirrelMail 1.4.22 and earlier versions, which can be exploited by remote attackers to inject malicious scripts into a web page and...

CVE-2018-14954

The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute...

Cross site scripting

The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute...