Listen to this Post
How the mentioned vulnerabilities work (around 20 lines):
- Policy reuse and mutation: Mutating nested sanitization policy internals (e.g.,
DEFAULT_POLICY) leaves stale compiled sanitizers active, weakening later sanitization. - In-memory sanitization gaps: Programmatic DOM sanitization fails to recognize mixed-case dangerous tags like `ScRiPt` or
StYlE, allowing script execution. - Custom `drop_content_tags` values such as `{“SCRIPT”}` silently fail to drop dangerous subtrees due to case mismatches.
- Serialization injection: Crafted programmatic doctype names serialize into active markup before the document body, enabling injection.
- Foreign-namespace policy bypasses: Custom policies preserving SVG/MathML allow active SVG features to survive sanitization.
- SVG animation elements (
<set>,<animate>) mutate already-sanitized attributes after sanitization. - SVG presentation attributes (
fill,clip-path,mask,marker-start,cursor) with external `url(…)` references bypass filters. - Programmatic DOM trees claiming `namespace=”html”` but serializing as `
- Rawtext hardening gap: Mixed-case programmatic `style` or `script` nodes bypass rawtext hardening.
- Preserved active stylesheet content (e.g., remote `@import` rules) from such nodes leads to CSS injection.
- Default `JustHTML(…, sanitize=True)` for ordinary parsed HTML is mostly safe except policy mutation.
- Reused policy objects after mutating nested state cause cross-context sanitization weakening.
- Exported default policy internals mutated process-wide affect all subsequent sanitizations.
- No CVE ID assigned; these issues fixed collectively in justhtml 1.16.0.
- Attack vector requires advanced paths: programmatic DOM input, reused policies, or custom foreign-namespace policies.
dailycve form:
Platform: justhtml
Version: <=1.15.0
Vulnerability: Multiple sanitization bypasses
Severity: Critical
date: 2026-04-12
Prediction: Expected patch 2026-04-12
What Undercode Say:
Check installed justhtml version pip show justhtml | grep Version Update to patched version 1.16.0 pip install --upgrade justhtml==1.16.0 Verify policy mutation risk (example Python) from justhtml import DEFAULT_POLICY import copy safe_policy = copy.deepcopy(DEFAULT_POLICY) Avoid mutating original Test mixed-case tag bypass (proof of concept) from justhtml import sanitize malicious = "<ScRiPt>alert(1)</ScRiPt>" print(sanitize(malicious)) Should be empty after patch
Exploit:
Craft programmatic DOM with `namespace=”html”` but `
Protection from this CVE
Upgrade to justhtml 1.16.0 immediately. If unable, never mutate `DEFAULT_POLICY` or nested policy internals; avoid reusing policy objects after mutation; disable SVG/MathML preservation; drop style/script nodes; serialize untrusted doctypes/DOM trees only after strict validation.
Impact:
Remote code execution via script injection, CSS theft via @import, UI redressing, and data exfiltration through SVG external references. Policy mutation can globally weaken sanitization across entire application, leading to stored XSS and cross-context compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

