OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-07-19T14:53:09

Updated: 2024-08-04T00:33:50.696Z

Reserved: 2021-06-18T00:00:00

Link: CVE-2021-35043

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-07-19T15:15:07.747

Modified: 2024-11-21T06:11:44.160

Link: CVE-2021-35043

cve-icon Redhat

Severity : Important

Publid Date: 2021-07-19T00:00:00Z

Links: CVE-2021-35043 - Bugzilla