CVE-2017-14735

Name of the Vulnerable Software and Affected Versions OWASP AntiSamy versions prior to 1.5.7

Description The issue allows for cross-site scripting (XSS) attacks via HTML5 entities. This is demonstrated by the use of : to construct a javascript: URL. The vulnerability is related to the implementation of the HTMLSerializer class in the AntiSamy framework, which fails to protect the web page structure. This can be exploited by a remote attacker to conduct cross-site scripting attacks using HTML5 tags and the HTTP protocol.

Recommendations For OWASP AntiSamy versions prior to 1.5.7, update to version 1.5.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTML5 entities in user-input data to minimize the risk of exploitation.