CVE-2023-43643

Name of the Vulnerable Software and Affected Versions AntiSamy versions prior to 1.7.4

Description The issue is related to a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability, the preserveComments directive must be enabled in the policy file and certain tags must be allowed at the same time. This can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output.

Recommendations For versions prior to 1.7.4, update to AntiSamy 1.7.4 or later to resolve the issue. As a temporary workaround, manually edit the AntiSamy policy file by deleting the preserveComments directive or setting its value to false, if present. Additionally, consider adding a tag definition to remove the noscript tag under the <tagrules> node.