PT-2026-28773 · Pypi · Justhtml
Publicado
2026-03-18
·
Atualizado
2026-03-18
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Summary
Sanitized DOM trees can be unsafe to serialize when a custom policy allows raw-text elements such as
<style> or <script>.The issue affects DOM trees that are constructed or modified programmatically and then passed through
sanitize dom() with a policy that keeps these elements. Text nodes inside <style> and <script> are serialized literally, so attacker-controlled text containing the matching closing tag sequence can break out of the raw-text context and inject HTML into the serialized output.The default sanitization policy is not affected because it drops the contents of
style and script.Details
The root cause is in HTML serialization of raw-text elements. In serialize.py, text children of
script and style are emitted verbatim:python
LITERAL TEXT SERIALIZATION ELEMENTS = frozenset({"script", "style"})
def serialize text for parent(text: str | None, parent name: str | None) -> str:
if not text:
return ""
if parent name in LITERAL TEXT SERIALIZATION ELEMENTS:
return text
return escape text(text)Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Justhtml