GHSA-8RFP-98V4-MMR6
Vulnerability from github – Published: 2026-06-16 14:06 – Updated: 2026-06-16 14:06
VLAI
Summary
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output
Details
Impact
A possible XSS bypass affects users calling bleach.clean with all of:
ain the allowed tagshrefin allowed attributes
The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:
- Bleach's output contains URI values that violate the caller's protocol allowlist, breaking the sanitizer's contract.
- If a downstream system performs its own Unicode normalization on bleach's output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.
This is not a direct XSS vulnerability.
Python code example from reporter with Bleach v6.3.0 and Python 3.13:
import bleach
payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
result1 = bleach.clean(payload1)
print(f"(ZWSP): {repr(result1)}")
Output:
(ZWSP): '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
Patches
Users should upgrade to Bleach 6.4.0.
Workarounds
Pre-process content removing non-ASCII characters from URI schemes before sanitizing with bleach.clean.
A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=2023812
- RFC 3986, Section 3.1 (URI Scheme syntax): scheme characters are restricted to ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
Reported by
Reported by codeant from CodeAnt AI.
Severity
0.0 (None)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.3.0"
},
"package": {
"ecosystem": "PyPI",
"name": "bleach"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T14:06:29Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nA possible XSS bypass affects users calling `bleach.clean` with all of:\n\n* `a` in the allowed tags\n* `href` in allowed attributes\n\nThe `bleach.clean` sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:\n\n- Bleach\u0027s output contains URI values that violate the caller\u0027s protocol allowlist, breaking the sanitizer\u0027s contract.\n- If a downstream system performs its own Unicode normalization on bleach\u0027s output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.\n\nThis is not a direct XSS vulnerability.\n\nPython code example from reporter with Bleach v6.3.0 and Python 3.13:\n\n```\nimport bleach\npayload1 = \u0027\u003ca href=\"javascript\\u200b:alert(document.cookie)\"\u003eClick me\u003c/a\u003e\u0027\nresult1 = bleach.clean(payload1)\nprint(f\"(ZWSP): {repr(result1)}\")\n```\n\nOutput:\n\n```\n(ZWSP): \u0027\u003ca href=\"javascript\\u200b:alert(document.cookie)\"\u003eClick me\u003c/a\u003e\u0027\n```\n\n### Patches\n\nUsers should upgrade to Bleach 6.4.0.\n\n### Workarounds\n\nPre-process content removing non-ASCII characters from URI schemes before sanitizing with `bleach.clean`.\n\nA strong[ Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without unsafe-inline and unsafe-eval[ script-srcs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=2023812\n* RFC 3986, Section 3.1 (URI Scheme syntax): scheme characters are restricted to ALPHA *( ALPHA / DIGIT / \"+\" / \"-\" / \".\" )\n\n### Reported by \n\nReported by codeant from CodeAnt AI.",
"id": "GHSA-8rfp-98v4-mmr6",
"modified": "2026-06-16T14:06:30Z",
"published": "2026-06-16T14:06:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/security/advisories/GHSA-8rfp-98v4-mmr6"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2023812"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/bleach"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Bleach: URI sanitization allows disallowed URI schemes with Unicode \u003e U+00A0 in output"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…