Описание
Cross-site scripting in bluemonday
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-29272
- https://github.com/microcosm-cc/bluemonday/issues/111
- https://github.com/microcosm-cc/bluemonday/commit/524f142fe46e945b7dcd291d7805c4b7dcf75bee
- https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.5
- https://pkg.go.dev/vuln/GO-2022-0762
- https://vuln.ryotak.me/advisories/4
- https://vuln.ryotak.me/advisories/4.txt
Пакеты
github.com/microcosm-cc/bluemonday
< 1.0.5
1.0.5
Связанные уязвимости
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.