PT-2026-30289 — XSS in Pypi Justhtml

PT-2026-30289 · Pypi · Justhtml

Published

2026-03-24

Updated

2026-03-24

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

to markdown() is vulnerable when serializing attacker-controlled <pre> content. The <pre> handler emits a fixed three-backtick fenced code block, but writes decoded text content into that fence without choosing a delimiter longer than any backtick run inside the content.

An attacker can place backticks and HTML-like text inside a sanitized <pre> element so that the generated Markdown closes the fence early and leaves raw HTML outside the code block. When that Markdown is rendered by a CommonMark/GFM-style renderer that allows raw HTML, the HTML executes.

This is a bypass of the v1.12.0 Markdown hardening. That fix escaped HTML-significant characters for regular text nodes, but <pre> uses a separate serialization path and does not apply the same protection.

Details

The vulnerable <pre> Markdown path:

extracts decoded text from the <pre> subtree
opens a fenced block with a fixed delimiter of ``````
writes the decoded text directly into the output
closes with another fixed ``````

Because the fence length is fixed, attacker-controlled content containing a backtick run of length 3 or more can terminate the code block. If the content also contains decoded HTML-like text such as <img ...>, that text appears outside the fence in the resulting Markdown and is treated as raw HTML by downstream Markdown renderers.

The issue is not that HTML-like text appears inside code blocks. The issue is that the serializer allows attacker-controlled <pre> text to break out of the fixed fence.

Reproduction

python

from justhtml import JustHTML

payload = "<pre>&#96;&#96;&#96;
&lt;img src=x onerror=alert(1)&gt;</pre>"
doc = JustHTML(payload, fragment=True) # default sanitize=True

print(doc.to html(pretty=False))
# <pre>```
# &lt;img src=x onerror=alert(1)&gt;</pre>

print(doc.to markdown())
# ```
# ```
# <img src=x onerror=alert(1)>
# ```

Rendered as CommonMark/GFM-style Markdown, that output is interpreted as:

Line 1 opens a fenced code block
Line 2 closes it
Line 3 is raw HTML outside the fence
Line 4 opens a new fence

Impact

Applications that treat JustHTML(..., sanitize=True).to markdown() output as safe for direct rendering in Markdown contexts may be exposed to XSS, depending on the downstream Markdown renderer's raw-HTML handling.

Root Cause

The <pre> Markdown serializer uses a fixed fence instead of selecting a delimiter longer than the longest backtick run in the content.

Fix

When serializing <pre> content to Markdown, choose a fence length longer than any backtick run present in the code block content, with a minimum length of 3.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-80

Related Identifiers

GHSA-5VP3-3CG6-2RQ3

Affected Products

Justhtml