logo
DATABASE RESOURCES PRICING ABOUT US

Cross-Site Scripting (XSS)

Description

bleach is vulnerable to cross-site scripting (XSS). Invocation of `bleach.clean` method with a scripting parameter set to `FALSE` and a raw tags (such as title, textarea, script, style, noembed, noframes, iframe, xmp) allows BleachHTMLParser to process user-contributed content using innerHTML property, allowing the browsers to mutate a harmless content to malicious XSS string and execute on rendering of the new DOM element. It affects all three major browsers such as IE, Firefox, and Chrome.


Affected Software


CPE Name Name Version
bleach 3.1.0
bleach 2.1.4
bleach 2.1
py3-bleach 3.1.0-r1

Related