blob: 4f5e452724d527157cac7987d307cf568508d5a0 [file] [log] [blame]
id: GO-2022-0588
modules:
- module: github.com/microcosm-cc/bluemonday
versions:
- fixed: 1.0.16
vulnerable_at: 1.0.15
packages:
- package: github.com/microcosm-cc/bluemonday
symbols:
- Policy.AllowElements
- Policy.AllowElementsMatching
derived_symbols:
- Policy.AllowLists
- Policy.AllowTables
- UGCPolicy
summary: |-
Cross-site scripting via leaked style elements in
github.com/microcosm-cc/bluemonday
description: |-
The bluemonday HTML sanitizer can leak the contents of a "style" element into
HTML output, potentially causing XSS vulnerabilities.
The default bluemonday sanitization policies are not vulnerable. Only
user-defined policies allowing "select", "style", and "option" elements are
affected.
Permitting the "style" element in policies is hazardous, because bluemonday does
not contain a CSS sanitizer. Newer versions of bluemonday suppress "style" and
"script" elements even when allowed by a policy unless the policy explicitly
requests unsafe processing.
published: 2022-08-15T18:02:24Z
cves:
- CVE-2021-42576
ghsas:
- GHSA-x95h-979x-cf3j
references:
- fix: https://github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4
- web: https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
review_status: REVIEWED