Vulnerability Report: GO-2022-0588

CVE-2021-42576, GHSA-x95h-979x-cf3j
Affects: github.com/microcosm-cc/bluemonday
Published: Aug 15, 2022
Modified: May 20, 2024

The bluemonday HTML sanitizer can leak the contents of a "style" element into HTML output, potentially causing XSS vulnerabilities. The default bluemonday sanitization policies are not vulnerable. Only user-defined policies allowing "select", "style", and "option" elements are affected. Permitting the "style" element in policies is hazardous, because bluemonday does not contain a CSS sanitizer. Newer versions of bluemonday suppress "style" and "script" elements even when allowed by a policy unless the policy explicitly requests unsafe processing.

Affected Packages

Path

Go Versions

Symbols
github.com/microcosm-cc/bluemonday

before v1.0.16
5 affected symbols

Aliases

CVE-2021-42576
GHSA-x95h-979x-cf3j

References

https://github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4
https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
https://vuln.go.dev/ID/GO-2022-0588.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL