Source: rust-ammonia Version: 4.1.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi See https://rustsec.org/advisories/RUSTSEC-2025-0071.html for details: |Affected versions of this crate did not correctly strip |namespace-incompatible tags in certain situations, causing it to |incorrectly account for differences between HTML, SVG, and MathML. | |This vulnerability only has an effect when the svg or math tag is |allowed, because it relies on a tag being parsed as html during the |cleaning process, but serialized in a way that causes in to be parsed |as xml by the browser. | |Additionally, the application using this library must allow a tag that |is parsed as raw text in HTML. These elements are: | | title | textarea | xmp | iframe | noembed | noframes | plaintext | noscript | style | script | |Applications that do not explicitly allow any of these tags should not |be affected, since none are allowed by default. Regards, Salvatore
