Описание
Security update for python-lxml_html_clean
This update for python-lxml_html_clean fixes the following issues:
Changes in python-lxml_html_clean:
- CVE-2026-28348: improper keywords checking can allow external CSS loading (bsc#1259378)
- CVE-2026-28350: lack of base tag handling can allow the hijacking of the resolution of relative URLs (bsc#1259379)
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1259378
- SUSE Bug 1259379
- SUSE CVE CVE-2026-28348 page
- SUSE CVE CVE-2026-28350 page
Описание
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.
Затронутые продукты
Ссылки
- CVE-2026-28348
- SUSE Bug 1259378
Описание
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4.
Затронутые продукты
Ссылки
- CVE-2026-28350
- SUSE Bug 1259379