GO-2022-0588

Source

https://pkg.go.dev/vuln/GO-2022-0588

Import Source

https://vuln.go.dev/ID/GO-2022-0588.json

Aliases

Published

2022-08-15T18:02:24Z

Modified

2023-12-14T15:51:14Z

Details

The bluemonday HTML sanitizer can leak the contents of a "style" element into HTML output, potentially causing XSS vulnerabilities.

The default bluemonday sanitization policies are not vulnerable. Only user-defined policies allowing "select", "style", and "option" elements are affected.

Permitting the "style" element in policies is hazardous, because bluemonday does not contain a CSS sanitizer. Newer versions of bluemonday suppress "style" and "script" elements even when allowed by a policy unless the policy explicitly requests unsafe processing.

References

Affected packages

Go / github.com/microcosm-cc/bluemonday

Package

Name: github.com/microcosm-cc/bluemonday

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.0.16

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/microcosm-cc/bluemonday",
            "symbols": [
                "Policy.AllowElements",
                "Policy.AllowElementsMatching",
                "Policy.AllowLists",
                "Policy.AllowTables",
                "UGCPolicy"
            ]
        }
    ]
}