Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36823
Summary
Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize in versions 3.0.0 through 6.0.1 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows "style" elements and one or more CSS at-rules. This could result in Cross-site Scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize performs additional escaping of CSS in "style" element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow "style" elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence "</" as "<\/" in "style" element content.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published