Impact
If you have explicitly allowed the <style>
tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the <style>
tag so there is no risk if you have not explicitly allowed the <style>
tag.
Patches
The problem has been fixed in version 5.0.372.
Workarounds
Remove the <style>
tag from the set of allowed tags.
For more information
If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer
Credits
This issue was discovered by Michał Bentkowski of Securitum.
Impact
If you have explicitly allowed the
<style>
tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the<style>
tag so there is no risk if you have not explicitly allowed the<style>
tag.Patches
The problem has been fixed in version 5.0.372.
Workarounds
Remove the
<style>
tag from the set of allowed tags.For more information
If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer
Credits
This issue was discovered by Michał Bentkowski of Securitum.