PT-2026-28773 · Pypi · Justhtml
Published
2026-03-18
·
Updated
2026-03-18
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Summary
Sanitized DOM trees can be unsafe to serialize when a custom policy allows raw-text elements such as
<style> or <script>.The issue affects DOM trees that are constructed or modified programmatically and then passed through
sanitize dom() with a policy that keeps these elements. Text nodes inside <style> and <script> are serialized literally, so attacker-controlled text containing the matching closing tag sequence can break out of the raw-text context and inject HTML into the serialized output.The default sanitization policy is not affected because it drops the contents of
style and script.Details
The root cause is in HTML serialization of raw-text elements. In serialize.py, text children of
script and style are emitted verbatim:python
LITERAL TEXT SERIALIZATION ELEMENTS = frozenset({"script", "style"})
def serialize text for parent(text: str | None, parent name: str | None) -> str:
if not text:
return ""
if parent name in LITERAL TEXT SERIALIZATION ELEMENTS:
return text
return escape text(text)Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Justhtml