Skip to content

v1.2.1
Compare
Choose a tag to compare
@mikesamuel mikesamuel released this 09 Jun 18:42
· 21 commits to master since this release
v1.2.1
This tag was signed with the committer’s verified signature.
mikesamuel Mike Samuel
GPG key ID: 961AD55F48BD3398
Verified
Learn about vigilant mode.
b3ebd8b
This commit was signed with the committer’s verified signature.
mikesamuel Mike Samuel
GPG key ID: 961AD55F48BD3398
Verified
Learn about vigilant mode.

Users of com.mikesamuel:json-sanitizer should upgrade to version 1.2.1 or later.

A bug in com.mikesamuel:json-sanitizer:1.2.0 and prior allows an attacker who controls the content of a JSON string that is later embedded in an HTML <script> element to confuse the HTML parser as to where the <script> element ends. If the attacker also controls other content, e.g. a string of non-JavaScript content adjacent to the <script> element, this can lead to arbitrary JavaScript execution.

See #20 (comment) for details.

CVE-2020-13973

Assets 2
Loading