GO-2022-0588

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0588

Import Source

https://vuln.go.dev/ID/GO-2022-0588.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0588

Aliases

Published

2022-08-15T18:02:24Z

Modified

2024-05-20T16:03:47Z

Summary

Cross-site scripting via leaked style elements in github.com/microcosm-cc/bluemonday

Details

The bluemonday HTML sanitizer can leak the contents of a "style" element into HTML output, potentially causing XSS vulnerabilities.

The default bluemonday sanitization policies are not vulnerable. Only user-defined policies allowing "select", "style", and "option" elements are affected.

Permitting the "style" element in policies is hazardous, because bluemonday does not contain a CSS sanitizer. Newer versions of bluemonday suppress "style" and "script" elements even when allowed by a policy unless the policy explicitly requests unsafe processing.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0588"
}

References

Affected packages

Go / github.com/microcosm-cc/bluemonday

Package

Name: github.com/microcosm-cc/bluemonday; View open source insights on deps.dev
Purl: pkg:golang/github.com/microcosm-cc/bluemonday

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.16

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/microcosm-cc/bluemonday",
            "symbols": [
                "Policy.AllowElements",
                "Policy.AllowElementsMatching",
                "Policy.AllowLists",
                "Policy.AllowTables",
                "UGCPolicy"
            ]
        }
    ]
}