| id: GO-2022-0588 |
| modules: |
| - module: github.com/microcosm-cc/bluemonday |
| versions: |
| - fixed: 1.0.16 |
| vulnerable_at: 1.0.15 |
| packages: |
| - package: github.com/microcosm-cc/bluemonday |
| symbols: |
| - Policy.AllowElements |
| - Policy.AllowElementsMatching |
| derived_symbols: |
| - Policy.AllowLists |
| - Policy.AllowTables |
| - UGCPolicy |
| summary: |- |
| Cross-site scripting via leaked style elements in |
| github.com/microcosm-cc/bluemonday |
| description: |- |
| The bluemonday HTML sanitizer can leak the contents of a "style" element into |
| HTML output, potentially causing XSS vulnerabilities. |
| |
| The default bluemonday sanitization policies are not vulnerable. Only |
| user-defined policies allowing "select", "style", and "option" elements are |
| affected. |
| |
| Permitting the "style" element in policies is hazardous, because bluemonday does |
| not contain a CSS sanitizer. Newer versions of bluemonday suppress "style" and |
| "script" elements even when allowed by a policy unless the policy explicitly |
| requests unsafe processing. |
| published: 2022-08-15T18:02:24Z |
| cves: |
| - CVE-2021-42576 |
| ghsas: |
| - GHSA-x95h-979x-cf3j |
| references: |
| - fix: https://github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4 |
| - web: https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/ |
