A mutation XSS affects users calling bleach.clean
with all of:
svg
or math
in the allowed/whitelisted tagsstrip=False
Users are encouraged to upgrade to bleach v3.1.2 or greater.
modify bleach.clean
calls to use strip=True
, or not whitelist math
or svg
tags and one or more of the following tags:
script
noscript
style
noframes
xmp
noembed
iframe
A strong Content-Security-Policy without unsafe-inline
and unsafe-eval
script-src
s) will also help mitigate the risk.
If you have any questions or comments about this advisory:
{ "nvd_published_at": "2020-03-24T22:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-03-23T22:25:38Z" }