Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13dmh4LXE0MjctZmdoM84AA7xy
Arbitrary HTML present after sanitization because of unicode normalization
Impact
If using keep_typographic_whitespace=False (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization.
Patches
The problem has been fixed in 2.4.2.
Workarounds
Set keep_typographic_whitespace=True explicitly, or normalize to NFKC yourself earlier.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13dmh4LXE0MjctZmdoM84AA7xy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 13 days ago
Updated: 13 days ago
Identifiers: GHSA-wvhx-q427-fgh3, CVE-2024-34078
References:
- https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3
- https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550
- https://github.com/advisories/GHSA-wvhx-q427-fgh3
Blast Radius: 0.0
Affected Packages
pypi:html-sanitizer
Dependent packages: 14Dependent repositories: 36
Downloads: 106,910 last month
Affected Version Ranges: < 2.4.2
Fixed in: 2.4.2
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.4.1
All unaffected versions: 2.4.2, 2.4.3, 2.4.4