Summary

Affected versions of Mozilla-bleach are vulnerable to Mutation XSS (mXSS) vulnerability when calling bleach.clean with:

  • svg or math allowed
  • p or br allowed
  • one of the RCDATA tags allowed:
    1
    2
    3
    4
    5
    6
    7
    script
    noscript
    style
    noframes
    xmp
    noembed
    iframe
  • and the argument strip_comments=False

Product

Bleach before 3.3.0.

Impact

According to GitHub, more than 72,000 repositories are dependent on Bleach. Among them are major vendors, including multiple Fortune 500 tech companies.

Steps to reproduce

1
2
>>> import bleach
>>> bleach.clean('<math></p><style><!--</style><img src/onerror=alert(1)>', tags=['math', 'p', 'style'], strip_comments=False)

Expected result:

<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>

Remediation

Update bleach dependency to 3.3.0 or above.

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

  1. Advisory
  2. Commit 79b7a3c