GHSA-GJ48-438W-JH9V: Client-Side HTML Sanitization Bypass in Bleach

The HTML sanitization library Bleach is widely used within the Python ecosystem to clean untrusted markup. By leveraging a whitelist of allowed tags, attributes, and URI protocols, Bleach filters inputs to prevent Cross-Site Scripting (XSS) attacks. Security researchers discovered that Bleach fails to sanitize the formaction attribute, which can contain dangerous URI schemes such as javascript:. This vulnerability affects all versions of Bleach prior to 6.4.0.\n\nApplications that explicitly allow the formaction attribute on submit-capable elements are vulnerable. The formaction attribute is used on elements like <button>, <input type="submit">, or <input type="image"> to specify where to send the form-data when the form is submitted. Because Bleach does not check the protocol of the URI in this attribute, attackers can inject arbitrary script execution vectors.\n\nThis flaw represents a client-side HTML sanitization bypass. When a victim interacts with the sanitized but malicious element, the browser executes the payload. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output).

The root cause of this vulnerability lies in the sanitization pipeline implemented by Bleach, which wraps the html5lib library. The html5lib parser decomposes an HTML fragment into tokens, which are then passed through a series of filters. During this process, attributes that are designated to contain URIs must be validated and sanitized. This verification is performed by matching attribute names against a static list of known URI attributes.\n\nIn Bleach's vendorized filter codebase, specifically within bleach/sanitizer.py and its dependencies in html5lib, a set named attr_val_is_uri defines these attributes. This set historically included standard URI-bearing attributes such as action, href, src, and poster. However, the formaction attribute was omitted from this list. As a result, the library did not route the value of formaction through its protocol-checking functions.\n\nBrowsers treat the formaction attribute as a direct replacement for the form's action URL when the triggering element is clicked. Under the HTML5 specification, if an element has a formaction attribute, that value overrides the action attribute of the parent <form>. Since the browser processes this attribute as a URI, it permits pseudo-protocols like javascript:. Bleach's failure to recognize formaction as a URI attribute allowed these dangerous schemes to persist in the sanitized output.\n\nmermaid\ngraph LR\n A['Untrusted HTML'] --> B['Bleach.clean()']\n B --> C{'Is attribute in attr_val_is_uri?'}\n C -- 'Yes' --> D['sanitize_uri() validation']\n C -- 'No' --> E['Preserve original value']\n E --> F['Client-Side DOM Execution']\n

To understand the technical gap, we must examine how Bleach identifies URI-containing attributes. In bleach/_vendor/html5lib/filters/sanitizer.py, the set attr_val_is_uri is defined statically. When the sanitizer filter iterates over token attributes, it checks if the attribute namespace and name exist within this set. If a match is found, the filter invokes sanitize_uri() to strip unauthorized schemes.\n\nThe vulnerable code implementation did not include (None, 'formaction') in this mapping:\n\npython\n# Vulnerable configuration in bleach/_vendor/html5lib/filters/sanitizer.py\nattr_val_is_uri = {\n (None, 'action'),\n (None, 'href'),\n (None, 'src'),\n (None, 'poster'),\n # The (None, 'formaction') entry was missing here\n}\n\n\nThe security patch added (None, 'formaction') to the attr_val_is_uri set. This single-line correction ensures that whenever the sanitizer encounters formaction, it treats the value as a URI and executes the validation routine. The patched code is structured as follows:\n\npython\n# Patched configuration in bleach/_vendor/html5lib/filters/sanitizer.py\nattr_val_is_uri = {\n (None, 'action'),\n (None, 'href'),\n (None, 'src'),\n (None, 'poster'),\n (None, 'formaction'), # Added to ensure protocol verification\n}\n\n\nWhen formaction is processed with this patch in place, the sanitize_uri function parses the value. If the scheme does not match the configured list of allowed protocols (typically http, https, and mailto), the attribute is either stripped or neutralized. This prevents the preservation of javascript: payloads.

Exploitation of this vulnerability requires that the target application meets specific configuration prerequisites. The developer must have explicitly configured Bleach to allow the formaction attribute on submit-capable tags. Additionally, the application must allow elements like <button> or <input> to be submitted. If these conditions are met, the attack vector can be delivered through any untrusted user input field.\n\nAn attacker can construct a payload using a <button> element nested inside a <form> tag. The button is assigned a formaction attribute containing a malicious payload such as javascript:alert(document.cookie). When Bleach processes this HTML fragment, it validates the <button> and <form> tags against the whitelist but ignores the payload inside the formaction attribute because it is treated as a plain text string.\n\nhtml\n<!-- Vulnerable payload after sanitization -->\n<form>\n <button formaction="javascript:alert(document.cookie)">Submit</button>\n</form>\n\n\nOnce the sanitized payload is rendered in the victim's browser, it appears as a standard button. When the user clicks the button, the browser attempts to submit the form to the URL specified in the formaction attribute. Because the URL is a javascript: pseudo-protocol, the browser executes the script in the context of the vulnerable application's origin, allowing session hijacking or credential theft.

The security impact of this vulnerability is client-side code execution under the origin of the hosting application. Successful exploitation results in Cross-Site Scripting (XSS). This allows an attacker to execute arbitrary script code within the victim's browser session, bypassing the Same-Origin Policy.\n\nWith active script execution, an attacker can access sensitive information stored in the browser. This includes session tokens, cookies, and local storage data. If the application does not utilize HttpOnly flags on session cookies, the attacker can exfiltrate these credentials to a controlled remote server. Furthermore, the attacker can perform unauthorized actions on behalf of the authenticated user, such as modifying account settings or initiating state-changing requests.\n\nThe Common Vulnerability Scoring System (CVSS) v3.1 assigns a score of 6.1 to this vulnerability. This medium-severity rating reflects that while the attack vector is network-based and requires no privileges, it depends on user interaction. The security scope is changed because the execution environment shifts from the backend data handler to the browser's DOM context.

The primary remediation step is upgrading Bleach to version 6.4.0, which includes the missing entry in the URI attribute list. This update immediately resolves the sanitization bypass by subjecting the formaction attribute to the same protocol validation as other URI fields. However, developers must be aware of the long-term maintenance status of the Bleach library.\n\nMozilla formally deprecated Bleach and archived the repository. Version 6.4.0 is the final maintenance release of the project, meaning that no future security vulnerabilities or operational defects will be resolved by the maintainers. Consequently, continuing to rely on Bleach introduces long-term operational risk as new browser behaviors or security bypasses emerge.\n\nTo mitigate this risk, security teams should plan to migrate to supported alternatives. Libraries such as nh3, a Python binding to the Rust-based ammonia HTML sanitizer, provide actively maintained and high-performance alternatives. For temporary mitigation where upgrades cannot be immediately applied, developers must audit Bleach configurations and remove formaction from the list of allowed attributes.