oss-sec mailing list archives

Re: CVE Request: html5lib: potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers

From: <cve-assign () mitre org>
Date: Thu, 8 Dec 2016 01:40:01 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

As found in
https://www.sourceclear.com/registry/security/cross-site-scripting-xss-/python/sid-3068/fix
html5lib fixed a cross-site scripting vulnerability in upstream
version 0.99999999 with commit

https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7

References:

https://github.com/html5lib/html5lib-python/issues/11
https://github.com/html5lib/html5lib-python/issues/12

Question about the CVE assignment for html5lib was raised as well in
https://github.com/mozilla/bleach/issues/229


We are not sure of the optimal way to represent this in CVE. We
are making this mapping, which we feel is adequate:

  Use CVE-2016-9909 for the mishandling of the '<' character in
  attribute values.

  Use CVE-2016-9910 for the mishandling of all of the other mentioned
  characters in attribute values.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYSPwUAAoJEHb/MwWLVhi2HSwP/3e58+AisDyrqaNcdRNrQvPG
ri5lDi8E9AFA38gx2IEdyavHzmzc+dCFUz/KGrapeHV94MLiAszUJTK1kB9nqesI
iagSlx9sbYZcwCvbpiKcYex8UvKMR24CX2faoxtzJulycsulrvYzJ9Jskq4aylCQ
pw7XipGJMs3gHHaSCThGq2t/w5zEiHdYSfKjixKdwk9jczhLihoRSueGkDDyBy5O
M9q27mSccXHEDa2Xq6Eyio6rsTsckA9DRYh0L36JYn83XhMqBdqK00LnfgfUorzi
tN4Mrxgci7pAE4JFTqrK9aR+LJht1oLf2Z79foucvIRyiyU5swVEKFz8HekEMbEm
wAVmV67qV6A/bfR23/86JoQNSv7WjYoqrfue0tAY4Q1EM5fF4qN590lWT3bfDprT
3wX9o8+3xt+JwSSQZdfw13jqjoJyxX10waJLcM02L72dM57OH7u8vB9c4xIiU14w
/lhJxfW4DDNl4DNYuNE3Yj/auAPUCXhJfrY4RpjLFmfFSP48i2PNlgHCGXkE5cen
5OmoaJN58L7Vi2q4cgEtUPdqGCQGawfZ5NXIhOyTrP2dcdAa6r+RqStlMH6MB2Cx
IEMvqZCxmKtFKOZdx+svgjtvaQ6zs6Csc+z1GBTQc64nJH52ivV+e6Vb446hJNXR
TsPjDC+UafOQstWKp4Qe
=ZAOJ
-----END PGP SIGNATURE-----

Current thread:

CVE Request: html5lib: potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers Salvatore Bonaccorso (Dec 06)
- Re: CVE Request: html5lib: potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers cve-assign (Dec 07)