Package: lxml / 4.3.2-1+deb10u3

Metadata

Package Version Patches format
lxml 4.3.2-1+deb10u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2020 27783.patch | (download)

src/lxml/html/clean.py | 3 3 + 0 - 0 !
src/lxml/html/tests/test_clean.py | 10 10 + 0 - 0 !
2 files changed, 13 insertions(+)

 [patch] prevent combinations of <noscript> and <style> to sneak
 JavaScript through the HTML cleaner.


math svg.patch | (download)

src/lxml/html/clean.py | 22 14 + 8 - 0 !
src/lxml/html/tests/test_clean.py | 10 10 + 0 - 0 !
src/lxml/html/tests/test_clean.txt | 12 10 + 2 - 0 !
3 files changed, 34 insertions(+), 10 deletions(-)

 [patch] prevent combinations of <math/svg> and <style> to sneak
 JavaScript through the HTML cleaner.

* A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner by Yaniv Nizry,
  which allowed JavaScript to pass through.  The cleaner now removes more sneaky
  "style" content.

fix lack of re ASCII in python2.patch | (download)

src/lxml/html/clean.py | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [patch] work around py2's lack of "re.ascii".


CVE 2021 28957.patch | (download)

src/lxml/html/defs.py | 2 2 + 0 - 0 !
src/lxml/html/tests/test_clean.py | 15 15 + 0 - 0 !
2 files changed, 17 insertions(+)

---