Headline
CVE-2021-35043: Release Release version 1.6.4 · nahsra/antisamy
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
This release addresses issue #87, which also fixes CVE-2021-35043.
Thanks to Zachary Sims for responsibly disclosing the issue.