rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

ammonia v4.1.2

Browse Source
This commit is contained in:
Michael Howell
2025-09-21 18:38:37 -07:00
committed by Dirkjan Ochtman
parent 0c700a4438
commit baa969879d
1 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
crates/ammonia/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,39 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "ammonia"
date = "2025-09-21"
categories = ["format-injection"]
keywords = ["html", "xss"]
[versions]
patched = [">= 4.1.2", ">= 4.0.1, < 4.1.0", ">= 3.3.1, < 4.0.0"]
```
# Incorrect handling of embedded SVG and MathML leads to mutation XSS after removal
Affected versions of this crate did not correctly strip namespace-incompatible tags
in certain situations, causing it to incorrectly account for differences between HTML,
SVG, and MathML.
This vulnerability only has an effect when the `svg` or `math` tag is allowed,
because it relies on a tag being parsed as html during the cleaning process, but
serialized in a way that causes in to be parsed as xml by the browser.
Additionally, the application using this library must allow a tag that is parsed as raw text in HTML.
These [elements] are:
* title
* textarea
* xmp
* iframe
* noembed
* noframes
* plaintext
* noscript
* style
* script
Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.
[elements]: https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs