PT-2026-33573 · Pypi · Justhtml
Published
2026-04-08
·
Updated
2026-04-08
CVSS v4.0
2.1
Low
| Vector | AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
A parser-differential / mutation XSS issue was found in
justhtml when using a custom sanitization policy that preserves foreign namespaces such as SVG or MathML.Under these custom settings, specially crafted input could sanitize into HTML that looked safe at first, but became unsafe when parsed again by a browser or another HTML parser.
Impact
This issue does not affect the default safe configuration.
You may be affected if you use a custom
SanitizationPolicy with settings like:drop foreign namespaces=False- allowlisted foreign elements such as MathML or SVG
- allowlisted raw-text containers such as
<style>
In that case, an attacker could inject markup that survives sanitization and turns into active HTML after re-parsing.
Affected versions
justhtml<= 1.13.0
Fixed version
- Fixed in
1.14.0
Workarounds
Until you upgrade:
- keep
drop foreign namespaces=True - avoid allowlisting foreign namespaces for untrusted input
- avoid allowlisting raw-text containers such as
<style>in custom policies
Notes
The default
JustHTML(..., sanitize=True) behavior was not found to be vulnerable in this issue.Credit
Discovered by JustHTML author during a LLM-based security review of
justhtml.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Justhtml