Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) bleach is a whitlist-based HTML sanitizing library that escapes or strips markup and attributes. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A mutation XSS affects users calling `bleach.clean` when `svg` or `math`, `p` or `br` , and `style` are in the allowed tags, and the keyword argument is set `strip_comments=False` Note: none of the above tags are in the default allowed tags and `strip_comments` is set to `True` by default. Workarounds modify `bleach.clean` calls to either not allow the `style` tag, not allow `svg` or `math` tags, not allow `p` or `br` tags, and/or set `strip_comments=True` A strong Content-Security-Policy without `unsafe-inline` and `unsafe-eval` `script-src`s) will also help mitigate the risk. How to fix Cross-site Scripting (XSS)? Upgrade `bleach` to version 3.3.0 or higher.	[,3.3.0)

Cross-site Scripting (XSS)

bleach is a whitlist-based HTML sanitizing library that escapes or strips markup and attributes.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A mutation XSS affects users calling bleach.clean when svg or math, p or br , and style are in the allowed tags, and the keyword argument is set strip_comments=False

Note: none of the above tags are in the default allowed tags and strip_comments is set to True by default.

Workarounds

modify bleach.clean calls to either not allow the style tag, not allow svg or math tags, not allow p or br tags, and/or set strip_comments=True

A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

How to fix Cross-site Scripting (XSS)?

Upgrade bleach to version 3.3.0 or higher.

[,3.3.0)

Go back to all versions of this package