Jump to content

Third mutation XSS bug patched in Mozilla Bleach library

Recommended Posts

Third mutation XSS bug patched in Mozilla Bleach library




Bleach, a Python library that enables web developers to clean HTML input and prevent cross-site scripting (XSS) attacks, was itself found to have an XSS vulnerability, according to an advisory posted on GitHub by Mozilla, the library’s developer.


Mozilla Bleach escapes and removes characters that can otherwise lead to the execution of arbitrary code when rendered on a browser. As of this writing, more than 100,000 GitHub repositories depend on Bleach.


The vulnerability, discovered by researchers at Checkmarx, was found in the library’s clean() function, which sanitizes HTML code.

“We have no evidence of the vulnerability being exploited in the wild,” a spokesperson for Mozilla told The Daily Swig.

Mutation XSS

Developers can control the kind of tags that will be allowed in the HTML code ahead of the cleaning process.


A flaw in the way the function handled some configurations of allowed tags made it vulnerable to “mutation XSS”, a special kind of XSS flaw caused by how different browsers interpret HTML code.

“Exploiting this vulnerability requires a non-default config, which is why we rated the severity as moderate,” the Mozilla spokesperson said.

“Producing this vulnerability requires satisfying a set of pre-conditions... If those conditions are met, the vulnerability can be reproduced.”


Mozilla has patched the vulnerability in the latest version of Bleach. In the advisory, the organization recommends setting up a strong Content Security Policy to mitigate further risks.

A growing threat

It is worth noting that this is the third mutation XSS bug found in Bleach in the past year.

“Mutation XSS bugs have grown in popularity due to the recent release of detailed research blog posts and useful tools on the subject,” the Mozilla spokesperson said.

“We consider a growing focus on specific vulnerabilities to be normal, once such related research is publicized.”


In written comments to The Daily Swig, Erez Yalon, head of security research at Checkmarx, warned that mutation XSS is relevant for every web application, not just those that are Python-based.

“[Mutation XSS] is slightly more complex to find and exploit than other XSS attacks because it combines a weakness in the code with a browsers’ tendency to try and fix errors by content manipulations,” Yalon said.


He added: “Having the code visible (as it is in open source) makes it a bit easier to execute, as the combination of the attacker’s payload through the code and the browser manipulation causes the harmful effect.”


Mutation XSS is becoming more common among researchers and attackers, Yalon noted. “So, we believe it is our responsibility as security researchers to educate developers and try to find these issues in the wild before they are exploited,” he said.



Source: Third mutation XSS bug patched in Mozilla Bleach library

Link to post
Share on other sites
  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

  • mood


Popular Days

Top Posters In This Topic

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...