Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
Vulnerability Description
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like `<svg>`, `<math>` and `<noscript>`.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
lxml_html_clean 安全漏洞
Vulnerability Description
lxml_html_clean是Fedora Python SIG开源的一个从 lxml.HTML.clean 复制的 HTML 清理功能的单独项目。 lxml_html_clean 0.4.0之前版本存在安全漏洞,该漏洞源于特殊标签处理不当,容易受到跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A