HistoryEditJSON (OSV)

RUSTSEC-2022-0003

Space bug in clean_text

Reported
Issued
Package
ammonia (crates.io)
Type
Vulnerability
Categories
Keywords
#html #xss
Aliases
References
Patched
  • >=3.1.3
Unaffected
  • <3.0.0
Affected Functions
Version
ammonia::clean_text
  • <=3.1.2

Description

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:

let html = format!("<div title={}>", clean_text(user_supplied_string));

Applications are not affected if they quote their attributes, or if they don't use clean_text at all.

Advisory available under CC0-1.0 license.