OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-23 15:38:27 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
advisory-db/crates/ammonia/RUSTSEC-2022-0003.md
Alexis Mousset 84c633df9c Update aliases from GHSA OSV export (#1693)
2023-06-13 15:10:24 +02:00

733 B
Raw Permalink Blame History 

[advisory]
id = "RUSTSEC-2022-0003"
package = "ammonia"
date = "2022-01-19"
url = "https://github.com/rust-ammonia/ammonia/pull/147"
categories = ["format-injection"]
keywords = ["html", "xss"]
aliases = ["GHSA-p2g9-94wh-65c2"]

[affected]
functions = { "ammonia::clean_text" = ["<= 3.1.2"] }

[versions]
patched = [">= 3.1.3"]
unaffected = ["< 3.0.0"]

Space bug in clean_text

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:

let html = format!("<div title={}>", clean_text(user_supplied_string));

Applications are not affected if they quote their attributes, or if they don't use clean_text at all.