-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the _remove_javascript_link function's incomplete handling of control characters in URLs. The GitHub patch (commit 3f3082e) modifies this function to call unquote_plus(link) before processing, indicating the original implementation lacked proper URL decoding. Control characters in the href attribute could evade the JavaScript scheme detection, as demonstrated in the PoC. The test case updates in test_clean.txt further confirm the function's role in sanitization failures.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| lxml | pip | < 3.3.5 | 3.3.5 |