Impact
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
Patches
Vulnerable versions: < 1.0.5
Patched version: 1.0.5
Workarounds
Upgrade github.com/microcosm-cc/bluemonday to version 1.0.5 or later. For example:
require github.com/microcosm-cc/bluemonday v1.0.5
References
NIST page for CVE-2021-29272
Impact
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
Patches
Vulnerable versions: < 1.0.5
Patched version: 1.0.5
Workarounds
Upgrade github.com/microcosm-cc/bluemonday to version 1.0.5 or later. For example:
require github.com/microcosm-cc/bluemonday v1.0.5References
NIST page for CVE-2021-29272