justhtml, Multiple Sanitization Bypasses, No CVE (Critical)

Listen to this Post

How the mentioned vulnerabilities work (around 20 lines):

  1. Policy reuse and mutation: Mutating nested sanitization policy internals (e.g., DEFAULT_POLICY) leaves stale compiled sanitizers active, weakening later sanitization.
  2. In-memory sanitization gaps: Programmatic DOM sanitization fails to recognize mixed-case dangerous tags like `ScRiPt` or StYlE, allowing script execution.
  3. Custom `drop_content_tags` values such as `{“SCRIPT”}` silently fail to drop dangerous subtrees due to case mismatches.
  4. Serialization injection: Crafted programmatic doctype names serialize into active markup before the document body, enabling injection.
  5. Foreign-namespace policy bypasses: Custom policies preserving SVG/MathML allow active SVG features to survive sanitization.
  6. SVG animation elements (<set>, <animate>) mutate already-sanitized attributes after sanitization.
  7. SVG presentation attributes (fill, clip-path, mask, marker-start, cursor) with external `url(…)` references bypass filters.
  8. Programmatic DOM trees claiming `namespace=”html”` but serializing as `` or `` evade foreign-content checks.
  9. Rawtext hardening gap: Mixed-case programmatic `style` or `script` nodes bypass rawtext hardening.
  10. Preserved active stylesheet content (e.g., remote `@import` rules) from such nodes leads to CSS injection.
  11. Default `JustHTML(…, sanitize=True)` for ordinary parsed HTML is mostly safe except policy mutation.
  12. Reused policy objects after mutating nested state cause cross-context sanitization weakening.
  13. Exported default policy internals mutated process-wide affect all subsequent sanitizations.
  14. No CVE ID assigned; these issues fixed collectively in justhtml 1.16.0.
  15. Attack vector requires advanced paths: programmatic DOM input, reused policies, or custom foreign-namespace policies.

dailycve form:

Platform: justhtml
Version: <=1.15.0
Vulnerability: Multiple sanitization bypasses
Severity: Critical
date: 2026-04-12

Prediction: Expected patch 2026-04-12

What Undercode Say:

Check installed justhtml version
pip show justhtml | grep Version
Update to patched version 1.16.0
pip install --upgrade justhtml==1.16.0
Verify policy mutation risk (example Python)
from justhtml import DEFAULT_POLICY
import copy
safe_policy = copy.deepcopy(DEFAULT_POLICY) Avoid mutating original
Test mixed-case tag bypass (proof of concept)
from justhtml import sanitize
malicious = "<ScRiPt>alert(1)</ScRiPt>"
print(sanitize(malicious)) Should be empty after patch

Exploit:

Craft programmatic DOM with `namespace=”html”` but `` to bypass sanitization. Or reuse mutated `DEFAULT_POLICY` after adding `”SCRIPT”` to `drop_content_tags` but with mixed-case `ScRiPt` payload.

Protection from this CVE

Upgrade to justhtml 1.16.0 immediately. If unable, never mutate `DEFAULT_POLICY` or nested policy internals; avoid reusing policy objects after mutation; disable SVG/MathML preservation; drop style/script nodes; serialize untrusted doctypes/DOM trees only after strict validation.

Impact:

Remote code execution via script injection, CSS theft via @import, UI redressing, and data exfiltration through SVG external references. Policy mutation can globally weaken sanitization across entire application, leading to stored XSS and cross-context compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top