RUSTSEC-2022-0003
Space bug in clean_text
- Reported
-
- Issued
-
- Package
-
ammonia
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#html
#xss
- Aliases
-
- References
-
- Patched
-
- Unaffected
-
- Affected Functions
- Version
ammonia::clean_text
-
Description
An incorrect mapping from HTML specification to ASCII codes was used.
Because HTML treats the Form Feed as whitespace, code like this has an injection bug:
let html = format!("<div title={}>", clean_text(user_supplied_string));
Applications are not affected if they quote their attributes, or if they don't use clean_text
at all.
Advisory available under CC0-1.0
license.