CVE-2024-52595 – HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through

https://notcve.org/view.php?id=CVE-2024-52595

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. • https://github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808 https://github.com/fedora-python/lxml_html_clean/pull/19 https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-83: Improper Neutralization of Script in Attributes in a Web Page CWE-184: Incomplete List of Disallowed Inputs •