CVE-2023-44390 – HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content

https://notcve.org/view.php?id=CVE-2023-44390

05 Oct 2023 — HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. The vulnerability occurs in configurations where foreign content is allowed, i.e. either `svg` or `math` are in the list of allowed elements. In the case an application sanitizes user input with a vulnerable configuration, an attacker could bypass the sanitization and inject arbitrary HTML, including JavaScript code. Note that in the default configuration the vulnerability is not present. ... • https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •