A mutation XSS affects users calling bleach.clean with noscript and a raw tag (see below) in the allowed/whitelisted tags option.
bleach.clean
noscript
v3.1.1
title textarea script style noembed noframes iframe xmp
unsafe-inline
unsafe-eval
script-src
If you have any questions or comments about this advisory:
Impact
A mutation XSS affects users calling
bleach.cleanwithnoscriptand a raw tag (see below) in the allowed/whitelisted tags option.Patches
v3.1.1
Workarounds
bleach.cleancalls to not whitelistnoscriptand one or more of the following raw tags:unsafe-inlineandunsafe-evalscript-srcs) will also help mitigate the risk.References
Credits
For more information
If you have any questions or comments about this advisory: