An XSS vulnerability was discovered in the python lxml
clean module versions before 4.6.3. When disabling the safe_attrs_only
and forms
arguments, the Cleaner
class does not remove the formaction
attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml
4.6.3.