A mutation XSS affects users calling bleach.clean
with all of:
svg
or math
in the allowed tagsp
or br
in allowed tagsstyle
, title
, noscript
, script
, textarea
, noframes
, iframe
, or xmp
in allowed tagsstrip_comments=False
Note: none of the above tags are in the default allowed tags and strip_comments
defaults to True
.
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
modify bleach.clean
calls to at least one of:
style
, title
, noscript
, script
, textarea
, noframes
, iframe
, or xmp
tagsvg
or math
tagsp
or br
tagsstrip_comments=True
A strong Content-Security-Policy without unsafe-inline
and unsafe-eval
script-src
s) will also help mitigate the risk.
If you have any questions or comments about this advisory:
{ "nvd_published_at": "2023-02-16T22:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-02-02T15:54:20Z" }