oss-sec mailing list archives
Re: CVE Request: html5lib: potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers
From: <cve-assign () mitre org>
Date: Thu, 8 Dec 2016 01:40:01 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
As found in https://www.sourceclear.com/registry/security/cross-site-scripting-xss-/python/sid-3068/fix html5lib fixed a cross-site scripting vulnerability in upstream version 0.99999999 with commit https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7 References: https://github.com/html5lib/html5lib-python/issues/11 https://github.com/html5lib/html5lib-python/issues/12 Question about the CVE assignment for html5lib was raised as well in https://github.com/mozilla/bleach/issues/229
We are not sure of the optimal way to represent this in CVE. We are making this mapping, which we feel is adequate: Use CVE-2016-9909 for the mishandling of the '<' character in attribute values. Use CVE-2016-9910 for the mishandling of all of the other mentioned characters in attribute values. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYSPwUAAoJEHb/MwWLVhi2HSwP/3e58+AisDyrqaNcdRNrQvPG ri5lDi8E9AFA38gx2IEdyavHzmzc+dCFUz/KGrapeHV94MLiAszUJTK1kB9nqesI iagSlx9sbYZcwCvbpiKcYex8UvKMR24CX2faoxtzJulycsulrvYzJ9Jskq4aylCQ pw7XipGJMs3gHHaSCThGq2t/w5zEiHdYSfKjixKdwk9jczhLihoRSueGkDDyBy5O M9q27mSccXHEDa2Xq6Eyio6rsTsckA9DRYh0L36JYn83XhMqBdqK00LnfgfUorzi tN4Mrxgci7pAE4JFTqrK9aR+LJht1oLf2Z79foucvIRyiyU5swVEKFz8HekEMbEm wAVmV67qV6A/bfR23/86JoQNSv7WjYoqrfue0tAY4Q1EM5fF4qN590lWT3bfDprT 3wX9o8+3xt+JwSSQZdfw13jqjoJyxX10waJLcM02L72dM57OH7u8vB9c4xIiU14w /lhJxfW4DDNl4DNYuNE3Yj/auAPUCXhJfrY4RpjLFmfFSP48i2PNlgHCGXkE5cen 5OmoaJN58L7Vi2q4cgEtUPdqGCQGawfZ5NXIhOyTrP2dcdAa6r+RqStlMH6MB2Cx IEMvqZCxmKtFKOZdx+svgjtvaQ6zs6Csc+z1GBTQc64nJH52ivV+e6Vb446hJNXR TsPjDC+UafOQstWKp4Qe =ZAOJ -----END PGP SIGNATURE-----
Current thread:
- CVE Request: html5lib: potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers Salvatore Bonaccorso (Dec 06)
- Re: CVE Request: html5lib: potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers cve-assign (Dec 07)