PT-2026-35096 · Pypi · Justhtml

Published

2026-04-14

·

Updated

2026-04-14

CVSS v4.0

1.3

Low

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

Summary

justhtml 1.16.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.
Most of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:
  • programmatic DOM input to sanitize() or sanitize dom()
  • reused or mutated sanitization policy objects
  • custom policies that preserve foreign namespaces such as SVG or MathML

Affected versions

  • justhtml <= 1.15.0

Fixed version

  • justhtml 1.16.0 released on April 12, 2026

Impact

Policy reuse and mutation

Nested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.

In-memory sanitization gaps

Programmatic DOM sanitization could miss dangerous mixed-case tag names such as ScRiPt or StYlE, and custom drop content tags values such as {"SCRIPT"} could silently fail to drop dangerous subtrees.

Serialization injection

Crafted programmatic doctype names could serialize into active markup before the document body.

Foreign-namespace policy bypasses

Custom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:
  • animation elements such as <set> and <animate> that mutate already-sanitized attributes after sanitization
  • presentation attributes such as fill, clip-path, mask, marker-start, and cursor containing external url(...) references
  • programmatic DOM trees that claim namespace="html" but serialize as <svg> or <math>, bypassing foreign-content checks

Rawtext hardening gap

Mixed-case programmatic style or script nodes could bypass rawtext hardening and preserve active stylesheet content such as remote @import rules.

Default configuration

Most of these issues did not affect the normal JustHTML(..., sanitize=True) path for ordinary parsed HTML.
The main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.

Recommended action

Upgrade to justhtml 1.16.0.
If you cannot upgrade immediately:
  • do not mutate DEFAULT POLICY, DEFAULT DOCUMENT POLICY, or nested policy internals
  • avoid reusing policy objects after mutating nested state
  • avoid preserving SVG or MathML for untrusted input
  • avoid preserving style or script in custom policies for untrusted input
  • avoid serializing untrusted programmatic doctypes or DOM trees

Credit

Discovered during an internal security review of justhtml.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-436CWE-178CWE-471

Related Identifiers

GHSA-4P64-V8F5-R2GX

Affected Products

Justhtml