CVE-2023-51652

Name of the Vulnerable Software and Affected Versions OWASP AntiSamy .NET versions prior to 1.2.0

Description The issue is related to a mutation cross-site scripting (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. This vulnerability can be exploited when the preserveComments directive is enabled in the policy file and certain tags are allowed. As a result, elements in comment tags can be interpreted as executable when using AntiSamy's sanitized output.

Recommendations To resolve the issue, upgrade to OWASP AntiSamy .NET version 1.2.0 or later. As a temporary workaround, manually edit the AntiSamy policy file (e.g., antisamy.xml) by deleting the preserveComments directive or setting its value to false, if present. Also, consider making AntiSamy remove the noscript tag by adding a line to the tag definitions under the <tagrules> node, or deleting it entirely if present.