diff --git a/SOURCES/CVE-2021-28957.patch b/SOURCES/CVE-2021-28957.patch
new file mode 100644
index 0000000..0368606
--- /dev/null
+++ b/SOURCES/CVE-2021-28957.patch
@@ -0,0 +1,39 @@
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index caf6b21..ea3c016 100644
+--- a/src/lxml/html/defs.py
++++ b/src/lxml/html/defs.py
+@@ -21,6 +21,8 @@ link_attrs = frozenset([
+ 'usemap',
+ # Not standard:
+ 'dynsrc', 'lowsrc',
++ # HTML5 formaction
++ 'formaction'
+ ])
+
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 451eec2..e40cdad 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
+ b'',
+ lxml.html.tostring(clean_html(s)))
+
++ def test_formaction_attribute_in_button_input(self):
++ # The formaction attribute overrides the form's action and should be
++ # treated as a malicious link attribute
++ html = ('
'
++ '')
++ expected = (''
++ '
')
++ cleaner = Cleaner(
++ forms=False,
++ safe_attrs_only=False,
++ )
++ self.assertEqual(
++ expected,
++ cleaner.clean_html(html))
++
+
+ def test_suite():
+ suite = unittest.TestSuite()
diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec
index 4f3405d..0111e56 100644
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@@ -2,13 +2,18 @@
Name: python-%{modname}
Version: 4.6.2
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD
URL: https://github.com/lxml/lxml
Source0: %{pypi_source %{modname}}
+# Fix for CVE-2021-28957: missing input sanitization
+# for formaction HTML5 attributes which may lead to XSS
+# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
+Patch1: CVE-2021-28957.patch
+
# Exclude i686 arch. Due to a modularity issue it's being added to the
# x86_64 compose of CRB, but we don't want to ship it at all.
# See: https://projects.engineering.redhat.com/browse/RCM-72605
@@ -67,6 +72,10 @@ env WITH_CYTHON=true %py3_build
%{python3_sitearch}/%{modname}-*.egg-info/
%changelog
+* Wed Mar 24 2021 Charalampos Stratakis - 4.6.2-3
+- Security fix for CVE-2021-28957
+Resolves: rhbz#1941534
+
* Mon Jan 18 2021 Tomas Orsava - 4.6.2-2
- Convert from Fedora to the python39 module in RHEL8
- Resolves: rhbz#1877430