PT-2026-33573 · Pypi · Justhtml
Publicado
2026-04-08
·
Atualizado
2026-04-08
CVSS v4.0
2.1
Baixa
| Vetor | AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
A parser-differential / mutation XSS issue was found in
justhtml when using a custom sanitization policy that preserves foreign namespaces such as SVG or MathML.Under these custom settings, specially crafted input could sanitize into HTML that looked safe at first, but became unsafe when parsed again by a browser or another HTML parser.
Impact
This issue does not affect the default safe configuration.
You may be affected if you use a custom
SanitizationPolicy with settings like:drop foreign namespaces=False- allowlisted foreign elements such as MathML or SVG
- allowlisted raw-text containers such as
<style>
In that case, an attacker could inject markup that survives sanitization and turns into active HTML after re-parsing.
Affected versions
justhtml<= 1.13.0
Fixed version
- Fixed in
1.14.0
Workarounds
Until you upgrade:
- keep
drop foreign namespaces=True - avoid allowlisting foreign namespaces for untrusted input
- avoid allowlisting raw-text containers such as
<style>in custom policies
Notes
The default
JustHTML(..., sanitize=True) behavior was not found to be vulnerable in this issue.Credit
Discovered by JustHTML author during a LLM-based security review of
justhtml.Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Justhtml