-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-5jfw-gq64-q45f] HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through #5031
base: byt3n33dl3/advisory-improvement-5031
Are you sure you want to change the base?
Conversation
Hi there @frenzymadness! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
I'm not sure I agree that this is an improvement. This reads to me as a fluffing up of the text which degrades readability. The two references you add are also duplicative with what we already have on record. Maybe I'm missing it, but can you point out what new context you're adding to the advisory? |
I'm adding an improvement on the Phishing Attacks through SVG Payloads
Reflected XSS in Web Applications and DOM-Based XSS through JavaScript Integration
So mostly I want to add what other possibility of exploitation from this vuln, maybe in short it was
Summary While XSS is the most prominent vulnerability due to the mismanagement of these tags, the improper handling of , , and elements in lxml_html_clean creates opportunities for various exploits, from DoS and DOM clobbering to sophisticated bypass techniques. These scenarios emphasize the importance of upgrading to the patched version of lxml and implementing robust additional validation techniques when handling untrusted HTML content. |
Scenario of ExecutionHTML InjectionAttackers exploit the vulnerability to inject untrusted HTML content that appears sanitized but retains harmful structure due to context-switching issues. For example:
Embedded malicious iframes or forms disguised in legitimate-looking content. Stored XSSIn applications that persist sanitized HTML in databases or logs, malicious content can bypass sanitization and remain dormant until displayed in a vulnerable context. For instance
Hidden scripts in SVG animations ( or elements) may activate under certain conditions. Denial of Service (DoS) via Resource ExhaustionScenario is when An attacker creates complex nested
designed to consume excessive parsing resources. Since lxml may not handle such payloads efficiently, this could lead to: DOM ClobberingLeveraging improperly sanitized HTML to insert elements with unexpected IDs or names that overwrite critical DOM properties. For example
Impact: Manipulation of the client-side DOM behavior, potentially hijacking user actions or breaking application functionality. Open Redirects via Sanitized LinksFor example Attackers inject sanitized tags with event handlers or redirection payloads hidden within or . For instance
Impacting to a Exploitation of open redirects to conduct phishing or malware distribution campaigns. Code Execution via Polyglot PayloadsContext-switching behavior may allow injection of polyglot payloads that are interpreted differently depending on the parser or runtime environment. For example Cross-Origin Data ExfiltrationMalicious
For example Embedding
Impact: Sensitive user data could be leaked to an attacker-controlled domain. |
As @darakian pointed out, the added references are duplicates. I don't think all the examples of exploits you mentioned fit here. If you can provide examples of a crafted HTML code that pass through Thank you! |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Updates
Comments
This update addresses a critical Cross-Site Scripting (XSS) vulnerability in the lxml-html-clean library, affecting versions < 0.4.0. The vulnerability arises from improper handling of special HTML tags such as , , and , allowing malicious scripts to bypass the HTML cleaning process.
The proposed improvement includes additional context about the exploit scenario, mitigation techniques, and real-world implications of the vulnerability. It also provides actionable examples and references, making the advisory more comprehensive and user-friendly. These enhancements ensure developers understand the risks and adopt best practices to secure their applications effectively.
This contribution aligns with the goal of the GitHub Security Advisory to provide detailed, actionable, and accurate information to the developer community for maintaining software security.