CVE-2020-26293: Cross-site Scripting

January 4, 2021 (updated January 7, 2021)

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the <style> tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the <style> tag so there is no risk if you have not explicitly allowed the <style> tag.

References

nvd.nist.gov/vuln/detail/CVE-2020-26293

Detect and mitigate CVE-2020-26293 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →