FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-bleach -- unsanitized character entities

Affected packages
2.1.0 <= py27-bleach < 2.1.3
2.1.0 <= py36-bleach < 2.1.3


VuXML ID e97a8852-32dd-4291-ba4d-92711daff056
Discovery 2018-03-05
Entry 2018-07-27

bleach developer reports:

Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

This security issue was introduced in Bleach 2.1. Anyone using Bleach 2.1 is highly encouraged to upgrade.