Headline
CVE-2021-28957: Bug #1888153 “formaction attr allowing javascript in Cleaner() i...” : Bugs : lxml
An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
Python : sys.version_info(major=3, minor=8, micro=3, releaselevel=’final’, serial=0)
lxml.etree : (4, 5, 2, 0)
libxml used : (2, 9, 10)
libxml compiled : (2, 9, 10)
libxslt used : (1, 1, 34)
libxslt compiled : (1, 1, 34)
The following script creates a form with a button with formaction which still allows XSS through when clicking the button.
```
from lxml.html.clean import Cleaner
cleaner = Cleaner(
forms=False,
safe_attrs_only=False,
)
cleaner.clean_html(“""<form id="test"></form><button form="test” formaction="javascript:alert(1)“>X</button>""”)
```
However, this same kind of idea doesn’t apply to action on the form which is somewhat equivalent:
```
In [1]: cleaner.clean_html(“""<form id="test"></form><button form="test” formaction="javascript:alert(1)“>X</button>""”)
Out[1]: ‘<div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div>’
In [2]: cleaner.clean_html(“""<form id="test” action="javascript:alert(1)“></form><button form="test” type="submit">X</button>""")
Out[2]: ‘<div><form id="test" action=""></form><button form="test" type="submit">X</button></div>’
```
safe_attrs_only is an unsafe setting to disable but it seems to respect the javascript setting so I would argue that formaction should be added to the list of attributes that are removed by the javascript setting.