—

PYSEC-2020-28

Details

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / bleach

Introduced in: 0 Fixed in: 3.1.2

Fix pip install --upgrade 'bleach>=3.1.2'

References

https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 [ADVISORY]
https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach [ARTICLE]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5/ [WEB]
https://advisory.checkmarx.net/advisory/CX-2020-4277 [ADVISORY]