bleach@0.5.1 vulnerabilities
An easy safelist-based HTML-sanitizing tool.
-
latest version
6.1.0
-
latest non vulnerable version
-
first published
14 years ago
-
latest version published
7 months ago
-
licenses detected
- [0.1,1.4)
Direct Vulnerabilities
Known vulnerabilities in the bleach package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
bleach is a whitlist-based HTML sanitizing library that escapes or strips markup and attributes. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A mutation XSS affects users calling Note: none of the above tags are in the default allowed tags and Workaroundsmodify A strong Content-Security-Policy without How to fix Cross-site Scripting (XSS)? Upgrade |
[,3.3.0)
| |||||||||||||||
bleach is a whitlist-based HTML sanitizing library that escapes or strips markup and attributes. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Calls to How to fix Regular Expression Denial of Service (ReDoS)? Upgrade |
[,3.1.4)
| |||||||||||||||
bleach is a whitlist-based HTML sanitizing library that escapes or strips markup and attributes. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in How to fix Cross-site Scripting (XSS)? Upgrade |
[,3.1.2)
| |||||||||||||||
bleach is a whitlist-based HTML sanitizing library that escapes or strips markup and attributes. Affected versions of this package are vulnerable to Cross-site Scripting (XSS)
via calling ##Details A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source. This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy. ֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability. Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. Types of attacksThere are a few methods by which XSS can be manipulated:
Affected environmentsThe following environments are susceptible to an XSS attack:
How to preventThis section describes the top best practices designed to specifically protect your code:
How to fix Cross-site Scripting (XSS)? Upgrade |
[,3.1.1)
| |||||||||||||||
Affected versions of How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.1)
|