Jens Häderer

**Name of the Vulnerable Software and Affected Versions** jsoup versions prior to 1.15.3 **Description** The issue is related to the incorrect sanitization of HTML including `javascript:` URL expressions, which could allow cross-site scripting (XSS) attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. **Recommendations** To resolve the issue for versions prior to 1.15.3: - Upgrade to version 1.15.3. - Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. As a temporary workaround, consider disabling the `SafeList.preserveRelativeLinks` option, which will rewrite input URLs as absolute URLs. Ensure an appropriate Content Security Policy is defined, which should be used regardless of upgrading, as a defence-in-depth best practice.