HistoryEdit

RUSTSEC-2022-0003

Space bug in clean_text

Issued
Package
ammonia (crates.io)
Type
Vulnerability
Categories
Keywords
#html #xss
Details
https://github.com/rust-ammonia/ammonia/pull/147
Patched
  • >=3.1.3
Unaffected
  • <3.0.0
Keywords
#html #xss
Affected Functions
Version
ammonia::clean_text
  • <=3.1.2

Description

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:

let html = format!("<div title={}>", clean_text(user_supplied_string));

Applications are not affected if they quote their attributes, or if they don't use clean_text at all.