CVE-2023-44390

Name of the Vulnerable Software and Affected Versions HtmlSanitizer versions prior to 8.0.723 HtmlSanitizer version 8.1.722-beta and earlier

Description The issue occurs in configurations where foreign content is allowed, specifically when svg or math are in the list of allowed elements. This allows an attacker to bypass sanitization and inject arbitrary HTML, including JavaScript code, when an application sanitizes user input with a vulnerable configuration. The default configuration is not affected.

Recommendations For HtmlSanitizer versions prior to 8.0.723, update to version 8.0.723 or later. For HtmlSanitizer version 8.1.722-beta and earlier, update to a version later than 8.1.722-beta. As a temporary workaround, consider disallowing foreign elements svg and math to minimize the risk of exploitation.