Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13dmh4LXE0MjctZmdoM84AA7xy

Arbitrary HTML present after sanitization because of unicode normalization

Impact

If using keep_typographic_whitespace=False (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization.

Patches

The problem has been fixed in 2.4.2.

Workarounds

Set keep_typographic_whitespace=True explicitly, or normalize to NFKC yourself earlier.

Permalink: https://github.com/advisories/GHSA-wvhx-q427-fgh3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13dmh4LXE0MjctZmdoM84AA7xy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 months ago


Identifiers: GHSA-wvhx-q427-fgh3, CVE-2024-34078
References: Repository: https://github.com/matthiask/html-sanitizer
Blast Radius: 0.0

Affected Packages

pypi:html-sanitizer
Dependent packages: 14
Dependent repositories: 36
Downloads: 179,751 last month
Affected Version Ranges: < 2.4.2
Fixed in: 2.4.2
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.4.1
All unaffected versions: 2.4.2, 2.4.3, 2.4.4