Skip to content

XSS in HtmlSanitizer

Low severity GitHub Reviewed Published Jan 4, 2021 in mganss/HtmlSanitizer • Updated Feb 1, 2023

Package

nuget HtmlSanitizer (NuGet)

Affected versions

< 5.0.372

Patched versions

5.0.372

Description

Impact

If you have explicitly allowed the <style> tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the <style> tag so there is no risk if you have not explicitly allowed the <style> tag.

Patches

The problem has been fixed in version 5.0.372.

Workarounds

Remove the <style> tag from the set of allowed tags.

For more information

If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer

Credits

This issue was discovered by Michal Bentkowski of Securitum.

References

@mganss mganss published to mganss/HtmlSanitizer Jan 4, 2021
Reviewed Jan 4, 2021
Published to the GitHub Advisory Database Jan 4, 2021
Published by the National Vulnerability Database Jan 4, 2021
Last updated Feb 1, 2023

Severity

Low

EPSS score

0.081%
(37th percentile)

CVE ID

CVE-2020-26293

GHSA ID

GHSA-8j9v-h2vp-2hhv

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.