Leen

**Name of the Vulnerable Software and Affected Versions** AntiSamy versions prior to 1.7.5 **Description** The issue is related to a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. This vulnerability can be exploited when the `preserveComments` directive is enabled in the policy file, allowing certain crafty inputs to result in elements in comment tags being interpreted as executable. **Recommendations** For versions prior to 1.7.5, update to AntiSamy 1.7.5 or later to resolve the issue. As a temporary workaround, manually edit the AntiSamy policy file by deleting the `preserveComments` directive or setting its value to `false`, if present.

**Name of the Vulnerable Software and Affected Versions** OWASP AntiSamy .NET versions prior to 1.2.0 **Description** The issue is related to a mutation cross-site scripting (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. This vulnerability can be exploited when the `preserveComments` directive is enabled in the policy file and certain tags are allowed. As a result, elements in comment tags can be interpreted as executable when using AntiSamy's sanitized output. **Recommendations** To resolve the issue, upgrade to OWASP AntiSamy .NET version 1.2.0 or later. As a temporary workaround, manually edit the AntiSamy policy file (e.g., antisamy.xml) by deleting the `preserveComments` directive or setting its value to `false`, if present. Also, consider making AntiSamy remove the `noscript` tag by adding a line to the tag definitions under the `<tagrules>` node, or deleting it entirely if present.

**Name of the Vulnerable Software and Affected Versions** AntiSamy versions prior to 1.7.4 **Description** The issue is related to a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability, the `preserveComments` directive must be enabled in the policy file and certain tags must be allowed at the same time. This can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. **Recommendations** For versions prior to 1.7.4, update to AntiSamy 1.7.4 or later to resolve the issue. As a temporary workaround, manually edit the AntiSamy policy file by deleting the `preserveComments` directive or setting its value to `false`, if present. Additionally, consider adding a tag definition to remove the `noscript` tag under the `<tagrules>` node.