Headline
GHSA-p2g9-94wh-65c2: Space bug in `clean_text`
An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug:
let html = format!("<div title={}>", clean_text(user_supplied_string));
Applications are not affected if they quote their attributes, or if they don’t use clean_text at all.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-p2g9-94wh-65c2
Space bug in `clean_text`
Moderate severity GitHub Reviewed Published Jun 16, 2022 • Updated Jun 16, 2022
Package
cargo ammonia (Rust)
Affected versions
>= 3.0.0, < 3.1.3
Description
An incorrect mapping from HTML specification to ASCII codes was used.
Because HTML treats the Form Feed as whitespace, code like this has an injection bug:
let html = format!("<div title={}>", clean_text(user_supplied_string));
Applications are not affected if they quote their attributes, or if they don’t use clean_text at all.
References
- rust-ammonia/ammonia#147
- https://rustsec.org/advisories/RUSTSEC-2022-0003.html
Weaknesses
GHSA ID
GHSA-p2g9-94wh-65c2
Source code