Users of com.mikesamuel:json-sanitizer should upgrade to version 1.2.1 or later.

54 views

Skip to first unread message

Mike Samuel

unread,

Jun 9, 2020, 2:44:59 PM6/9/20

to json-sanitizer-support

A bug in com.mikesamuel:json-sanitizer:1.2.0 and prior allows an attacker who controls the content of a JSON string that is later embedded in an HTML `<script>` element to confuse the HTML parser as to where the `<script>` element ends. If the attacker also controls other content, e.g. a string of non-JavaScript content adjacent to the `<script>` element, this can lead to arbitrary JavaScript execution.

See #20 (comment) for details.

CVE-2020-13973

https://github.com/OWASP/json-sanitizer/releases/tag/v1.2.1

Reply all

Reply to author

Forward

0 new messages

Search

Clear search

Close search

Google apps

Main menu