Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
JustHTML: Custom Settings Allow Malicious Code Injection
GHSA-r758-8hxw-4845
Summary
A security issue exists in JustHTML when using custom settings to allow certain HTML elements. If you've set up JustHTML to allow specific elements like SVG or MathML, an attacker could inject malicious code that would be safe initially but become active when re-parsed by a browser. To stay safe, upgrade to version 1.14.0 or temporarily change your custom settings to prevent this.
What to do
- Update justhtml to version 1.14.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | justhtml | > 1.13.0 , <= 1.14.0 | 1.14.0 |
Original title
justhtml: Mutation XSS with custom foreign-namespace sanitization policies
Original description
## Summary
A parser-differential / mutation XSS issue was found in `justhtml` when using a **custom sanitization policy** that preserves foreign namespaces such as SVG or MathML.
Under these custom settings, specially crafted input could sanitize into HTML that looked safe at first, but became unsafe when parsed again by a browser or another HTML parser.
## Impact
This issue does **not** affect the default safe configuration.
You may be affected if you use a custom `SanitizationPolicy` with settings like:
- `drop_foreign_namespaces=False`
- allowlisted foreign elements such as MathML or SVG
- allowlisted raw-text containers such as `<style>`
In that case, an attacker could inject markup that survives sanitization and turns into active HTML after re-parsing.
## Affected versions
- `justhtml` `<= 1.13.0`
## Fixed version
- Fixed in `1.14.0`
## Workarounds
Until you upgrade:
- keep `drop_foreign_namespaces=True`
- avoid allowlisting foreign namespaces for untrusted input
- avoid allowlisting raw-text containers such as `<style>` in custom policies
## Notes
The default `JustHTML(..., sanitize=True)` behavior was not found to be vulnerable in this issue.
## Credit
Discovered by JustHTML author during a LLM-based security review of `justhtml`.
A parser-differential / mutation XSS issue was found in `justhtml` when using a **custom sanitization policy** that preserves foreign namespaces such as SVG or MathML.
Under these custom settings, specially crafted input could sanitize into HTML that looked safe at first, but became unsafe when parsed again by a browser or another HTML parser.
## Impact
This issue does **not** affect the default safe configuration.
You may be affected if you use a custom `SanitizationPolicy` with settings like:
- `drop_foreign_namespaces=False`
- allowlisted foreign elements such as MathML or SVG
- allowlisted raw-text containers such as `<style>`
In that case, an attacker could inject markup that survives sanitization and turns into active HTML after re-parsing.
## Affected versions
- `justhtml` `<= 1.13.0`
## Fixed version
- Fixed in `1.14.0`
## Workarounds
Until you upgrade:
- keep `drop_foreign_namespaces=True`
- avoid allowlisting foreign namespaces for untrusted input
- avoid allowlisting raw-text containers such as `<style>` in custom policies
## Notes
The default `JustHTML(..., sanitize=True)` behavior was not found to be vulnerable in this issue.
## Credit
Discovered by JustHTML author during a LLM-based security review of `justhtml`.
ghsa CVSS4.0
2.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026