An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.3.3-1ubuntu0.2", "binary_name": "python-lxml" }, { "binary_version": "3.3.3-1ubuntu0.2", "binary_name": "python-lxml-dbg" }, { "binary_version": "3.3.3-1ubuntu0.2", "binary_name": "python-lxml-dbgsym" }, { "binary_version": "3.3.3-1ubuntu0.2", "binary_name": "python-lxml-doc" }, { "binary_version": "3.3.3-1ubuntu0.2", "binary_name": "python3-lxml" }, { "binary_version": "3.3.3-1ubuntu0.2", "binary_name": "python3-lxml-dbg" }, { "binary_version": "3.3.3-1ubuntu0.2", "binary_name": "python3-lxml-dbgsym" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.5.0-1ubuntu0.1", "binary_name": "python-lxml" }, { "binary_version": "3.5.0-1ubuntu0.1", "binary_name": "python-lxml-dbg" }, { "binary_version": "3.5.0-1ubuntu0.1", "binary_name": "python-lxml-doc" }, { "binary_version": "3.5.0-1ubuntu0.1", "binary_name": "python3-lxml" }, { "binary_version": "3.5.0-1ubuntu0.1", "binary_name": "python3-lxml-dbg" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "4.2.1-1ubuntu0.1", "binary_name": "python-lxml" }, { "binary_version": "4.2.1-1ubuntu0.1", "binary_name": "python-lxml-dbg" }, { "binary_version": "4.2.1-1ubuntu0.1", "binary_name": "python-lxml-doc" }, { "binary_version": "4.2.1-1ubuntu0.1", "binary_name": "python3-lxml" }, { "binary_version": "4.2.1-1ubuntu0.1", "binary_name": "python3-lxml-dbg" } ] }