CVE-2021-42576

Name of the Vulnerable Software and Affected Versions bluemonday versions prior to 1.0.16 for Go bluemonday versions prior to 0.0.8 for Python (in pybluemonday)

Description The bluemonday sanitizer does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements, potentially causing XSS vulnerabilities. This issue affects user-defined policies that allow these elements. Permitting the STYLE element in policies is particularly hazardous because bluemonday does not contain a CSS sanitizer. Newer versions of bluemonday suppress STYLE and SCRIPT elements even when allowed by a policy unless the policy explicitly requests unsafe processing.

Recommendations For bluemonday versions prior to 1.0.16 for Go, update to version 1.0.16 or later to resolve the issue. For bluemonday versions prior to 0.0.8 for Python (in pybluemonday), update to version 0.0.8 or later to resolve the issue. As a temporary workaround, consider disabling the use of SELECT, STYLE, and OPTION elements in user-defined policies until a patch is available. Restrict access to the STYLE element to minimize the risk of exploitation, as it can leak contents into HTML output.