bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).
Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
Patches
3.1.4
Workarounds
do not whitelist the style attribute in bleach.clean calls
Impact
bleach.cleanbehavior parsing style attributes could result in a regular expression denial of service (ReDoS).Calls to
bleach.cleanwith an allowed tag with an allowedstyleattribute are vulnerable to ReDoS. For example,bleach.clean(..., attributes={'a': ['style']}).Patches
3.1.4
Workarounds
do not whitelist the style attribute in
bleach.cleancallslimit input string length
References
Credits
For more information
If you have any questions or comments about this advisory: