—

PYSEC-2018-51

Details

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / bleach

Introduced in: 0 Fixed in: c5df5789ec3471a31311f42c2d19fc2cf21b35ef

Fix pip install --upgrade 'bleach>=c5df5789ec3471a31311f42c2d19fc2cf21b35ef'

References

https://github.com/mozilla/bleach/releases/tag/v2.1.3 [WEB]
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef [FIX]
https://bugs.debian.org/892252 [WEB]
https://github.com/advisories/GHSA-m9mq-p2f9-cfqv [ADVISORY]