VDB
KO
MEDIUM

GHSA-93q6-wwjh-jc6h

@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString

Details

## Finding

**Location**: `core/src/server/render-to-string.ts:307-311`

CSS value sanitization stripped `expression(` and `url(javascript:` using simple regex, but could be bypassed with CSS unicode escapes (`\65xpression(`), null bytes, or CSS comments (`exp/**/ression(`).

**Mitigating Factor**: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers.

## Status

**Fixed in v0.2.136** — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for `behavior:`, `-moz-binding`, and `-o-link` patterns.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @asymmetric-effort/specifyjs
Introduced in: 0 Fixed in: 0.2.136
Fix npm install @asymmetric-effort/specifyjs@0.2.136

References