Upgrade loofah to 2.2.2 to prevent potential XSS vulnerability caused by libxml2 (CVE-2018-8048) (!52) · Merge requests · schleuder / schleuder-web

georg requested to merge 95-upgrade-loofah-to-2.2.2 into master Mar 22, 2018

libxml2 >= 2.9.2 fails to escape comments within some attributes. It wants to ensure these comments can be treated as "server-side includes", but as a result fails to ensure that serialization is well-formed, resulting in an opportunity for XSS injection of code into a final re-parsed document (presumably in a browser).

See [1] for the underlying issue in libxml2, which was reported 2016/08/11, but is still unfixed.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=769760

Closes #95 (closed)

Edited Mar 22, 2018 by georg

Upgrade loofah to 2.2.2 to prevent potential XSS vulnerability caused by libxml2 (CVE-2018-8048)

Merge request reports