[Secure-testing-team] Bug#746812: python-lxml: clean_html input sanitization flaw
Salvatore Bonaccorso
carnil at debian.org
Sat May 3 21:21:11 UTC 2014
Source: lxml
Severity: important
Tags: security upstream fixed-upstream
Hi
It was found that the clean_html() function does not properly clean
HTML input if it includes non-printed characters (\x01-\x08). For
detail see [1], [2] and [3].
[1] http://seclists.org/fulldisclosure/2014/Apr/210
[2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1092613
Upstream has released a new version (3.3.5)[4] and the corresponding
commit it as [5].
[4] http://lxml.de/3.3/changes-3.3.5.html
[5] https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
Regards,
Salvatore
More information about the Secure-testing-team
mailing list