w3c/css-validator is vulnerable to cross-site scripting (XSS) due to insufficient input sanitization.
css-validator application takes a URI as input.
For example, here the URI is
In case of a CSS error, this URI is saved in the field sourceFile and it is also saved in the error message. They are passed to the template engine here and here. After that the values are read in the template and reflected back to the user unescaped here and here, causing XSS.
- 2020-06-15: Asked to open a Github security advisory.
- 2020-06-18: Invited to Github security advisory.
- 2020-06-19: Issue is patched.
- 2020-06-19: Advisory is published.
- 2020-06-20: CVE is assigned.
This issue was discovered and reported by @intrigus-lgtm.
You can contact the ISL at
email@example.com. Please include a reference to
ISL-2020-003 in any communication regarding this issue.