CVE-2021-38193

Name of the Vulnerable Software and Affected Versions: ammonia crate versions prior to 3.1.0

Description: The issue arises from mishandled parsing differences for HTML, SVG, and MathML, leading to potential XSS. The underlying HTML parser treats svg and math elements differently, even if they are not allowed, resulting in an "impossible" DOM that can be exploited when serialized and deserialized. Exploitation requires the application to allow specific tags that are parsed as raw text in HTML, such as title, textarea, xmp, iframe, noembed, noframes, plaintext, noscript, style, or script. Applications not explicitly allowing these tags are not affected.

Recommendations: For ammonia crate versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the affected tags (title, textarea, xmp, iframe, noembed, noframes, plaintext, noscript, style, script) in applications using this library until a patch is applied.