Impact
If you have explicitly allowed the <style> tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the <style> tag so there is no risk if you have not explicitly allowed the <style> tag.
Patches
The problem has been fixed in version 5.0.372.
Workarounds
Remove the <style> tag from the set of allowed tags.
For more information
If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer
Credits
This issue was discovered by Michal Bentkowski of Securitum.
References
Impact
If you have explicitly allowed the
<style>tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the<style>tag so there is no risk if you have not explicitly allowed the<style>tag.Patches
The problem has been fixed in version 5.0.372.
Workarounds
Remove the
<style>tag from the set of allowed tags.For more information
If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer
Credits
This issue was discovered by Michal Bentkowski of Securitum.
References