GHSA-57QW-CC2G-PV5P lxml Cross-site Scripting Via Control Characters

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting XSS attacks via control characters in the link scheme to the cleanhtml function...

Debian Security Advisory DSA 2941-1 (lxml - security update)

It was discovered that cleanhtml function of lxml pythonic bindings for the libxml2 and libxslt libraries performed insufficient sanitisation for some non-printable characters. This could lead to cross-site scripting. OpenVAS Vulnerability Test $Id: deb2941.nasl 6735 2017-07-17 09:56:49Z teissa $...

CVE-2014-3146

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting XSS attacks via control characters in the link scheme to the cleanhtml function...

lxml - clean_html Security Bypass

lxml - cleanhtml Security Bypass source: https://www.securityfocus.com/bid/67159/info lxml is prone to a security-bypass vulnerability. An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Versions prior to lxml 3.3...

lxml Filter Bypass

Hi, all I've accidentally found vulnerability in cleanhtml function of lxml python library. User can break schema of url with nonprinted chars \x01-\x08. Seems like all versions including the latest 3.3.4 are vulnerable. Here is PoC. from lxml.html.clean import cleanhtml html = '''\ aaa bbb bbb b...