### [CVE-2021-23980](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980)
![](https://img.shields.io/static/v1?label=Product&message=Mozilla%20Bleach&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%203.3.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=%20mutation%20XSS%20via%20allowed%20math%20or%20svg%3B%20p%20or%20br%3B%20and%20style%2C%20title%2C%20noscript%2C%20script%2C%20textarea%2C%20noframes%2C%20iframe%2C%20or%20xmp%20tags%20with%20strip_comments%3DFalse&color=brighgreen)

### Description

A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

### POC

#### Reference
- https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980

#### Github
No PoCs found on GitHub currently.