Skip to content
This repository was archived by the owner on Jun 10, 2026. It is now read-only.

Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes

Moderate
willkg published GHSA-gj48-438w-jh9v Jun 5, 2026

Package

bleach (PyPI)

Affected versions

< 6.3.1

Patched versions

None

Description

Summary

Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes.

Bleach applies URI protocol sanitization only to attributes listed in attr_val_is_uri. While URI-bearing attributes such as action, href, src, and poster are included in that set, formaction is not. As a result, if a downstream application explicitly allows formaction on submit-capable controls in untrusted HTML, Bleach preserves dangerous values such as javascript:alert(1) instead of stripping them.

This can lead to submit-triggered JavaScript execution in applications that rely on Bleach to sanitize untrusted HTML and allow the relevant tag/attribute combination.


Details

The issue appears to be a URI-sanitization coverage gap in Bleach’s sanitizer logic.

Relevant code paths:

  • bleach/sanitizer.pyBleachSanitizerFilter.allow_token (around line 553)
  • bleach/_vendor/html5lib/filters/sanitizer.pyattr_val_is_uri (around line 525)

In BleachSanitizerFilter.allow_token, URI protocol sanitization is only applied when:

if namespaced_name in self.attr_val_is_uri:

However, (None, 'formaction') is currently missing from attr_val_is_uri.

This creates an inconsistency where action is protocol-sanitized, but formaction is not.

As a result, if a downstream application allows:

  • tags such as <button> or <input>
  • the formaction attribute

then Bleach preserves dangerous URI schemes such as javascript: in formaction.

Examples of affected submit-capable controls include:

  • <button> (default submit behavior unless type="button" is set)
  • <input type="submit">
  • <input type="image">

This appears to be a real library-side sanitizer gap rather than only an application misuse issue, because Bleach already treats similar URI-bearing attributes (such as action) as protocol-sensitive and sanitizes them.

Suggested minimal fix:

Add:

(None, 'formaction')

to attr_val_is_uri in:

  • bleach/_vendor/html5lib/filters/sanitizer.py

I also prepared a minimal patch and focused regression tests if helpful.


PoC

Below are minimal reproductions using bleach.clean().

1) <button>

from bleach import clean

print(clean(
    '<form><button formaction="javascript:alert(1)">go</button></form>',
    tags={'form', 'button'},
    attributes={'button': ['formaction']},
))

Actual output:

<form><button formaction="javascript:alert(1)">go</button></form>

Expected output:

<form><button>go</button></form>

2) <input type="submit">

print(clean(
    '<form><input type="submit" formaction="javascript:alert(1)" value="go"></form>',
    tags={'form', 'input'},
    attributes={'input': ['type', 'formaction', 'value']},
))

Actual output:

<form><input type="submit" formaction="javascript:alert(1)" value="go"></form>

Expected output:

<form><input type="submit" value="go"></form>

3) <input type="image">

print(clean(
    '<form><input type="image" formaction="javascript:alert(1)" src="/foo.png"></form>',
    tags={'form', 'input'},
    attributes={'input': ['type', 'formaction', 'src']},
))

Actual output:

<form><input type="image" formaction="javascript:alert(1)" src="/foo.png"></form>

Expected output:

<form><input type="image" src="/foo.png"></form>

Impact

This is a client-side HTML sanitization bypass / dangerous URI preservation issue.

If an application relies on Bleach to sanitize untrusted HTML and explicitly allows:

  • formaction
  • and submit-capable controls such as <button> or <input>

then Bleach can emit sanitized output that still contains a dangerous javascript: URI in formaction.

That can lead to submit-triggered JavaScript execution when the user activates the control.

Impact is limited to configurations that explicitly allow the relevant tag/attribute combination, but the issue is still security-relevant because:

  • formaction is a real browser sink
  • Bleach already protocol-sanitizes similar URI-bearing attributes like action
  • the omission creates inconsistent sanitizer coverage for dangerous URI schemes

I would currently assess this as Medium severity.

If useful, I also have:

  • a minimal patch

  • focused regression tests for:

    • <button formaction="javascript:...">
    • <input type="submit" formaction="javascript:...">
    • <input type="image" formaction="javascript:...">
    • a safe control case where formaction="/submit" is preserved

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID

No known CVE

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits