{"id":"RUSTSEC-2022-0003","summary":"Space bug in `clean_text`","details":"An incorrect mapping from HTML specification to ASCII codes was used.\nBecause HTML treats the Form Feed as whitespace, code like this has an injection bug:\n\n    let html = format!(\"\u003cdiv title={}\u003e\", clean_text(user_supplied_string));\n\nApplications are not affected if they quote their attributes, or if they don't use `clean_text` at all.","aliases":["GHSA-p2g9-94wh-65c2"],"modified":"2023-11-08T04:21:23.389784Z","published":"2022-01-19T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/ammonia"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0003.html"},{"type":"WEB","url":"https://github.com/rust-ammonia/ammonia/pull/147"}],"affected":[{"package":{"name":"ammonia","ecosystem":"crates.io","purl":"pkg:cargo/ammonia"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.0"},{"fixed":"3.1.3"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":["ammonia::clean_text"],"os":[],"arch":[]}},"database_specific":{"categories":["format-injection"],"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0003.json","informational":null}}],"schema_version":"1.7.3"}