Improper Neutralization of Input During Web Page Generation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bleach.
Advisories for Pypi/Bleach package
2021
2020
regular expression denial-of-service in Bleach
Impact bleach.clean behavior parsing style attributes could result in a regular expression denial of service . Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, ``bleach.clean(…, attributes={'a': 'style' Workarounds do not allowlist the style attribute in bleach.clean calls limit input string length References https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://www.regular-expressions.info/redos.html https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817 Credits Reported by schwag09 of r2c For more information If you have any questions …
Cross-site Scripting
In Mozilla Bleach, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are in the allowlist with the keyword argument strip=False.
Cross-site Scripting
In Mozilla Bleach, a mutation XSS affects users calling bleach.clean with noscript.
2018
Improper Input Validation
URI values are not properly sanitized if the values contained character entities. Using character entities, it is possible to construct a URI value with parameters that are sliding through without being sanitized.