lxml_html_clean CSS Filter Bypass Vulnerability Allowing External Stylesheet Loading and XSS

A vulnerability in lxml_html_clean versions prior to 0.4.4 allows CSS Unicode escape sequences to bypass filters intended to block dangerous @import and expression() keywords. This flaw could lead to the loading of external CSS or cross-site scripting (XSS) attacks in older browsers. The issue arises because the vulnerability's method for detecting harmful CSS keywords improperly handles Unicode escape sequences, allowing them to evade security checks. As a result, malicious styles can be injected and executed, particularly in Internet Explorer, where expression() can be used for XSS attacks.

Impact

Exploitation of this vulnerability could result in unauthorized loading of external CSS, potentially leading to data exfiltration or UI redressing. In older browsers, such as Internet Explorer, it could cause cross-site scripting (XSS) attacks by misusing the expression() function.

Reproduction

To reproduce this vulnerability, use lxml_html_clean version 0.4.3 and create a payload that includes CSS Unicode escape sequences to bypass the @import and expression() filters. For example, a style tag containing '@\69mport' or '@\65xpression' would be processed incorrectly, allowing the import of external CSS or execution of JavaScript in the case of expression().

Remediation

Users can upgrade to lxml_html_clean version 0.4.4 or later, where this vulnerability has been patched.