Advisories for Pypi/Bleach package

A possible XSS bypass affects users calling bleach.clean with all of: a in the allowed tags href in allowed attributes The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to: Bleach's output contains URI values that violate …

Bleach 6.3.0 exposes a documented email-linkification path through bleach.linkify(…, parse_email=True). The implementation scans attacker-controlled text with EMAIL_RE.finditer() over the full character token and has no length, timeout, or linear prefilter before applying the dot-atom email regex. A non-email payload around 30 KB causes multi-second CPU consumption per request/call, creating a direct availability risk for applications that enable email linkification on user-submitted text.

Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes. Bleach applies URI protocol sanitization only to attributes listed in attr_val_is_uri. While URI-bearing attributes such as action, href, src, and poster are included in that set, formaction is not. As a result, if a downstream application explicitly allows formaction on submit-capable controls in untrusted HTML, Bleach preserves dangerous values such as javascript:alert(1) instead of stripping them. …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bleach.

Impact bleach.clean behavior parsing style attributes could result in a regular expression denial of service . Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, ``bleach.clean(…, attributes={'a': 'style' Workarounds do not allowlist the style attribute in bleach.clean calls limit input string length References https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://www.regular-expressions.info/redos.html https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817 Credits Reported by schwag09 of r2c For more information If you have any questions …

In Mozilla Bleach, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are in the allowlist with the keyword argument strip=False.

In Mozilla Bleach, a mutation XSS affects users calling bleach.clean with noscript.

URI values are not properly sanitized if the values contained character entities. Using character entities, it is possible to construct a URI value with parameters that are sliding through without being sanitized.