Closed
Description
AntiSamy uses a deprecated HTMLSerializer which does not understand newer HTML5 tags like <figure>. While this is a minor issue, it also does not understand newer HTML5 entities like : or (. This leads to a security vulnerability where the following text does not get cleaned:
<a href="javascript:alert(1)">X</a>