You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).
Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
Patches
3.1.4
Workarounds
do not whitelist the style attribute in bleach.clean calls
Impact
bleach.cleanbehavior parsing style attributes could result in a regular expression denial of service (ReDoS).Calls to
bleach.cleanwith an allowed tag with an allowedstyleattribute are vulnerable to ReDoS. For example,bleach.clean(..., attributes={'a': ['style']}).Patches
3.1.4
Workarounds
do not whitelist the style attribute in
bleach.cleancallslimit input string length
References
Credits
For more information
If you have any questions or comments about this advisory: