ammonia is vulnerable to Cross-Site Scripting (XSS)
59
Medium Risk
ammonia cleans HTML by removing disallowed elements and validating namespace transitions between each parent and child node. When a configuration permits the MathML annotation-xml element, the cleaner treats it as an HTML or SVG integration point without checking its encoding attribute, so its children are assumed to leave the MathML namespace. Untrusted markup placed under such an element can survive cleaning and then change namespace when a browser re-parses the serialized output, producing mutation XSS that executes script. The fix only treats annotation-xml as an integration point when its encoding attribute is a recognized HTML or SVG media type.
You are affected if you are using a version that falls within the vulnerable range and your configuration explicitly allows MathML annotation-xml along with a raw-text element such as xmp.
ammonia is vulnerable to Cross-Site Scripting (XSS) in versions 3.2.0 - 3.3.1, 4.0.0 - 4.0.1 and 4.1.0 - 4.1.2.
Upgrade the ammonia library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant