MEDIUM
GHSA-93q6-wwjh-jc6h
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString
Details
## Finding
**Location**: `core/src/server/render-to-string.ts:307-311`
CSS value sanitization stripped `expression(` and `url(javascript:` using simple regex, but could be bypassed with CSS unicode escapes (`\65xpression(`), null bytes, or CSS comments (`exp/**/ression(`).
**Mitigating Factor**: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers.
## Status
**Fixed in v0.2.136** — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for `behavior:`, `-moz-binding`, and `-o-link` patterns.
Are you affected?
Enter the version of the package you're using.
Affected packages
npm / @asymmetric-effort/specifyjs
Introduced in:
0 Fixed in: 0.2.136 Fix
npm install @asymmetric-effort/specifyjs@0.2.136