GHSA-p2g9-94wh-65c2: Space bug in `clean_text`

June 16, 2022

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:

let html = format!("", clean_text(user_supplied_string));

Applications are not affected if they quote their attributes, or if they don’t use clean_text at all.

References

github.com/advisories/GHSA-p2g9-94wh-65c2
github.com/rust-ammonia/ammonia
github.com/rust-ammonia/ammonia/commit/6c7bf22907a75d1bbaed52e4f7dd9716f5e6f737
github.com/rust-ammonia/ammonia/pull/147
rustsec.org/advisories/RUSTSEC-2022-0003.html

Code Behaviors & Features

Detect and mitigate GHSA-p2g9-94wh-65c2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →