RUSTSEC-2022-0003

Space bug in clean_text

Reported

January 19, 2022

Issued

January 19, 2022 (last modified: June 13, 2023)

Package

ammonia (crates.io)

Type

Vulnerability

Categories

format-injection

Keywords

#html #xss

Aliases

GHSA-p2g9-94wh-65c2

References

https://github.com/rust-ammonia/ammonia/pull/147

Patched

>=3.1.3

Unaffected

<3.0.0

Affected Functions

Version

ammonia::clean_text

<=3.1.2

Description

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:

let html = format!("<div title={}>", clean_text(user_supplied_string));

Applications are not affected if they quote their attributes, or if they don't use clean_text at all.

Advisory available under CC0-1.0 license.