OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-23 15:38:27 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
dea5184a2b91b3f93e77af637f83a73e4e93fde8
advisory-db/crates/ammonia/RUSTSEC-2022-0003.md
github-actions[bot] bf972ed7d4 Assigned RUSTSEC-2022-0003 to ammonia (#1153) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
2022-01-19 23:35:01 +01:00

699 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2022-0003"
package = "ammonia"
date = "2022-01-19"
url = "https://github.com/rust-ammonia/ammonia/pull/147"
categories = ["format-injection"]
keywords = ["html", "xss"]

[affected]
functions = { "ammonia::clean_text" = ["<= 3.1.2"] }

[versions]
patched = [">= 3.1.3"]
unaffected = ["< 3.0.0"]

Space bug in clean_text

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:

let html = format!("<div title={}>", clean_text(user_supplied_string));

Applications are not affected if they quote their attributes, or if they don't use clean_text at all.