QID 982824
QID 982824: Python (pip) Security Update for bleach (GHSA-m6xf-fq7q-8743)
Security update has been released for bleach to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
A [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of:
* the `svg` or `math` in the allowed/whitelisted tags
* an RCDATA tag (see below) in the allowed/whitelisted tags
* the keyword argument `strip=False`
Solution
Users are encouraged to upgrade to bleach v3.1.2 or greater.Workaround:
* modify `bleach.clean` calls to use `strip=True`, or not whitelist `math` or `svg` tags and one or more of the following tags:
```
script
noscript
style
noframes
xmp
noembed
iframe
```
* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.
* modify `bleach.clean` calls to use `strip=True`, or not whitelist `math` or `svg` tags and one or more of the following tags:
```
script
noscript
style
noframes
xmp
noembed
iframe
```
* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.
Vendor References
- GHSA-m6xf-fq7q-8743 -
github.com/advisories/GHSA-m6xf-fq7q-8743
CVEs related to QID 982824
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-m6xf-fq7q-8743 | bleach |
github.com/advisories/GHSA-m6xf-fq7q-8743 |