Homepage
About Snyk

bleach@3.1.4 vulnerabilities

An easy safelist-based HTML-sanitizing tool.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the bleach package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

bleach is a whitlist-based HTML sanitizing library that escapes or strips markup and attributes.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A mutation XSS affects users calling bleach.clean when svg or math, p or br , and style are in the allowed tags, and the keyword argument is set strip_comments=False

Note: none of the above tags are in the default allowed tags and strip_comments is set to True by default.

Workarounds

modify bleach.clean calls to either not allow the style tag, not allow svg or math tags, not allow p or br tags, and/or set strip_comments=True

A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

How to fix Cross-site Scripting (XSS)?

Upgrade bleach to version 3.3.0 or higher.

[,3.3.0)
Go back to all versions of this package