CVE-2020-6802 in Bleach
Summary
by MITRE
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/10/2026
The vulnerability CVE-2020-6802 represents a cross-site scripting flaw in Mozilla Bleach library versions prior to 3.11, specifically affecting users who employ the noscript tag alongside raw tags in their allowed tag configurations. This issue arises from improper handling of HTML sanitization when these particular tag combinations are present in the whitelist. The vulnerability demonstrates a critical weakness in the library's ability to properly sanitize potentially malicious input when specific tag combinations are permitted, creating an avenue for attackers to inject malicious scripts that can execute in users' browsers.
The technical flaw manifests in the sanitization process where Bleach fails to adequately escape or remove dangerous attributes and content when both noscript and raw tags are included in the allowed tags list. This occurs because the library does not properly account for the context in which these tags might be used, particularly when raw tags are allowed in the configuration. The noscript tag itself is designed to provide fallback content for users with disabled scripting, but when combined with raw tags that can contain arbitrary HTML, it creates a pathway for malicious code injection. This vulnerability falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses cross-site scripting issues arising from inadequate input sanitization.
The operational impact of this vulnerability is significant as it allows attackers to bypass security measures that would normally prevent XSS attacks. When users configure Bleach to allow noscript and raw tags, they inadvertently create a security hole where malicious actors can inject scripts that execute in the context of other users' browsers. This could lead to session hijacking, data theft, or redirection to malicious sites. The vulnerability is particularly concerning because it affects applications that rely on Bleach for HTML sanitization, potentially compromising thousands of web applications that use this library for content filtering and security purposes.
Mitigation strategies for CVE-2020-6802 involve upgrading to Bleach version 3.11 or later, which contains the necessary fixes to properly handle the combination of noscript and raw tags in the allowed tags configuration. Organizations should also review their existing configurations to ensure that raw tags are not unnecessarily included in allowed tag lists, particularly when noscript tags are also permitted. Additionally, implementing proper input validation and output encoding at multiple layers of the application can provide defense-in-depth measures. The ATT&CK framework categorizes this vulnerability under T1203 - Exploitation for Client Execution, as it enables attackers to execute malicious code in users' browsers through web-based exploitation techniques. Security teams should also consider monitoring for any unusual patterns in HTML content processing that might indicate exploitation attempts, and implement comprehensive security testing that includes edge cases involving tag combinations.