Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 09 May 2014 09:49:52 +0200
From: Martin Prpic <>
Subject: CVE request: python-lxml clean_html() input sanitization flaw

Hi, can a CVE be assigned to the following issue?

The lxml.html.clean module cleans up HTML by removing embedded or script content, special tags, CSS style annotations and much more. It was found [1] that the clean_html() function, provided by the lxml.html.clean module, did not properly clean HTML input if it included non-printed characters (\x01-\x08). A remote attacker could use this flaw to serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a website generated by this application.

This issue has been reported upstream at [2] and a patch is available at [3].


Red Hat Bugzilla bug:

Martin Prpič / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ