Listen to this Post
The vulnerability CVE-2024-23635 in the OWASP Java HTML Sanitizer arises from a specific and insecure interaction between the `noscript` and `style` HTML tags when a permissive policy is defined. The exploit occurs when the library’s `HtmlPolicyBuilder` is configured to explicitly allow both `noscript` and `style` elements, while also permitting raw text within `style` tags using the `.allowTextIn(“style”)` method. In this scenario, the sanitizer’s parsing logic fails to correctly neutralize a maliciously crafted input string. The payload `