Miggo Logo
Miggo Vulnerability Database
CVE-2016-9910

CVE-2016-9910: Cross-site Scripting in html5lib

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-9910
GHSA ID
GHSA-8f6m-gfq9-g33v
EPSS Score
0.68165%
CWE
CWE-79
Published
5/17/2022
Updated
9/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
html5libpip< 0.999999990.99999999

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the attribute quoting logic in the serializer. The commit 9b8d8eb introduced a ternary quote_attr_values system and expanded the regex pattern to include legacy-sensitive characters. The pre-patch code used a boolean flag and a limited regex (quoteAttributeSpec), failing to properly escape attributes containing characters like U+000B or ` which could break attribute context in legacy browsers. The serialize method directly controls attribute serialization and was the focal point of the security fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** s*ri*liz*r in *tml*li* ***or* *.******** mi**t *llow r*mot* *tt**k*rs to *on*u*t *ross-sit* s*riptin* (XSS) *tt**ks *y l*v*r**in* mis**n*lin* o* sp**i*l ***r**t*rs in *ttri*ut* v*lu*s, * *i***r*nt vuln*r**ility t**n *V*-****-****.

Reasoning

T** vuln*r**ility st*ms *rom t** *ttri*ut* quotin* lo*i* in t** s*ri*liz*r. T** *ommit ******* intro*u*** * t*rn*ry quot*_*ttr_v*lu*s syst*m *n* *xp*n*** t** r***x p*tt*rn to in*lu** l****y-s*nsitiv* ***r**t*rs. T** pr*-p*t** *o** us** * *ool**n *l**