Description
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.
Problem types
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
References
github.com/...istune/security/advisories/GHSA-g97x-gvcm-x72h
github.com/...ommit/a3cb6e5655308797e8be021d6c7b5bab13cbace2
github.com/lepture/mistune/releases/tag/v3.2.1