GHSA-p2g9-94wh-65c2

Опубликовано: 16 июн. 2022

Источник: github

Github: Прошло ревью

Описание

Space bug in clean_text

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:

let html = format!("<div title={}>", clean_text(user_supplied_string));

Applications are not affected if they quote their attributes, or if they don't use clean_text at all.

Ссылки

https://github.com/rust-ammonia/ammonia/pull/147
https://github.com/rust-ammonia/ammonia/commit/6c7bf22907a75d1bbaed52e4f7dd9716f5e6f737
https://rustsec.org/advisories/RUSTSEC-2022-0003.html

Пакеты

Наименование

ammonia

rust

Затронутые версииВерсия исправления

>= 3.0.0, < 3.1.3

3.1.3

Дефекты

CWE-79

Дефекты

CWE-79