CVE-2021-46871: 
JavaScript vulnerability analysis and mitigation

CVE-2021-46871 affects Phoenix.HTML (also known as phoenix_html) versions before 3.0.4. The vulnerability is related to Cross-Site Scripting (XSS) in HEEx class attributes, where the class attribute was not properly protected against XSS attacks when using HEEx (GitHub Advisory). The vulnerability was disclosed and assigned a CVSS v3.1 base score of 6.1 (Medium severity) (NVD).

The vulnerability exists in the tag.ex component of Phoenix.HTML where class attributes in HEEx templates were not properly escaped, potentially allowing for XSS attacks. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is network exploitable, requires low attack complexity, needs no privileges, but does require user interaction (NVD). The issue was fixed by ensuring proper escaping of class attribute values in the HEEx implementation (Phoenix Commit).

The vulnerability could allow an attacker to execute cross-site scripting attacks through class attributes in HEEx templates. This could potentially lead to the disclosure of sensitive information or manipulation of web content presented to users (NVD).

The vulnerability has been fixed in Phoenix.HTML version 3.0.4. Users should upgrade to this version or later to mitigate the risk. The fix involves proper escaping of class attribute values in HEEx templates (GitHub Advisory, Phoenix Commit).