An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python3-lxml-dbg": "3.3.3-1ubuntu0.2", "python-lxml": "3.3.3-1ubuntu0.2", "python-lxml-dbg": "3.3.3-1ubuntu0.2", "python-lxml-dbgsym": "3.3.3-1ubuntu0.2", "python-lxml-doc": "3.3.3-1ubuntu0.2", "python3-lxml": "3.3.3-1ubuntu0.2", "python3-lxml-dbgsym": "3.3.3-1ubuntu0.2" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python-lxml": "3.5.0-1ubuntu0.1", "python3-lxml-dbg": "3.5.0-1ubuntu0.1", "python-lxml-doc": "3.5.0-1ubuntu0.1", "python3-lxml": "3.5.0-1ubuntu0.1", "python-lxml-dbg": "3.5.0-1ubuntu0.1" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python-lxml": "4.2.1-1ubuntu0.1", "python3-lxml-dbg": "4.2.1-1ubuntu0.1", "python-lxml-doc": "4.2.1-1ubuntu0.1", "python3-lxml": "4.2.1-1ubuntu0.1", "python-lxml-dbg": "4.2.1-1ubuntu0.1" } ] }