GHSA-C9VM-HV86-F23R

Vulnerability from github – Published: 2026-04-10 19:20 – Updated: 2026-04-15 20:44
VLAI
Summary
justhtml includes multiple security fixes
Details

Summary

justhtml 1.15.0 includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.

These issues have different impact levels and do not all affect the default configuration in the same way.

Affected versions

  • justhtml <= 1.14.0

Fixed version

  • justhtml 1.15.0 released on April 9, 2026

Impact overview

Helper and serialization issues

These issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path.

  • JustHTML.clean_url_value(...) and clean_url_in_js_string(...) could accept URL values such as javascript&#58;..., which became active javascript: URLs after HTML attribute parsing.
  • URL sanitization could treat values like \\evil.example/x or /\\evil.example/x as safe relative URLs even though browsers could resolve them as remote requests.
  • Malformed bracketed hosts such as https://[evil.example]/x could raise exceptions and crash sanitization when host allowlists were used.
  • Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML.
  • Programmatic HTML comments containing --> could break out of the comment and inject live markup.

Markdown passthrough issue

  • to_markdown(html_passthrough=True) could reintroduce active HTML from sanitized <textarea> content by emitting a raw closing </textarea> sequence.

Custom policy issues

These issues affected custom policies more than the default safe configuration.

  • a[ping] was handled as a single URL even though browsers interpret it as a space-separated URL list.
  • attributionsrc was not treated as URL-bearing and could preserve attacker-controlled reporting endpoints.
  • link[imagesrcset] was not treated as URL-bearing and could preserve attacker-controlled image candidates.
  • Preserved <meta http-equiv="refresh"> tags could keep redirect targets without URL-policy enforcement.
  • Preserved <base href> tags could rewrite how later relative URLs resolved in the browser.
  • Preserved <style> blocks could keep resource-loading CSS such as @import, url(...), or image-set(...).
  • Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as DropAttrs(...), DropUrlAttrs(...), AllowStyleAttrs(...), and MergeAttrs(...).

Default configuration

Most of the custom-policy issues above did not affect the default JustHTML(..., sanitize=True) behavior.

The main exceptions were: - helper APIs such as clean_url_value(...) - programmatic DOM / serializer usage - applications explicitly using html_passthrough=True - applications using custom policies or custom transform pipelines

Recommended action

Upgrade to justhtml 1.15.0.

If you cannot upgrade immediately:

  • avoid html_passthrough=True for untrusted content
  • avoid preserving <style>, <meta http-equiv="refresh">, and <base href> in custom policies
  • avoid allowing ping, attributionsrc, or imagesrcset unless you explicitly validate them
  • avoid serializing untrusted programmatic node names, attribute names, or comment data
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.14.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "justhtml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-20",
      "CWE-755",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:20:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`justhtml` `1.15.0` includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.\n\nThese issues have different impact levels and do not all affect the default configuration in the same way.\n\n## Affected versions\n\n- `justhtml` `\u003c= 1.14.0`\n\n## Fixed version\n\n- `justhtml` `1.15.0` released on April 9, 2026\n\n## Impact overview\n\n### Helper and serialization issues\nThese issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path.\n\n- `JustHTML.clean_url_value(...)` and `clean_url_in_js_string(...)` could accept URL values such as `javascript\u0026#58...`, which became active `javascript:` URLs after HTML attribute parsing.\n- URL sanitization could treat values like `\\\\evil.example/x` or `/\\\\evil.example/x` as safe relative URLs even though browsers could resolve them as remote requests.\n- Malformed bracketed hosts such as `https://[evil.example]/x` could raise exceptions and crash sanitization when host allowlists were used.\n- Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML.\n- Programmatic HTML comments containing `--\u003e` could break out of the comment and inject live markup.\n\n### Markdown passthrough issue\n- `to_markdown(html_passthrough=True)` could reintroduce active HTML from sanitized `\u003ctextarea\u003e` content by emitting a raw closing `\u003c/textarea\u003e` sequence.\n\n### Custom policy issues\nThese issues affected custom policies more than the default safe configuration.\n\n- `a[ping]` was handled as a single URL even though browsers interpret it as a space-separated URL list.\n- `attributionsrc` was not treated as URL-bearing and could preserve attacker-controlled reporting endpoints.\n- `link[imagesrcset]` was not treated as URL-bearing and could preserve attacker-controlled image candidates.\n- Preserved `\u003cmeta http-equiv=\"refresh\"\u003e` tags could keep redirect targets without URL-policy enforcement.\n- Preserved `\u003cbase href\u003e` tags could rewrite how later relative URLs resolved in the browser.\n- Preserved `\u003cstyle\u003e` blocks could keep resource-loading CSS such as `@import`, `url(...)`, or `image-set(...)`.\n- Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as `DropAttrs(...)`, `DropUrlAttrs(...)`, `AllowStyleAttrs(...)`, and `MergeAttrs(...)`.\n\n## Default configuration\n\nMost of the custom-policy issues above did **not** affect the default `JustHTML(..., sanitize=True)` behavior.\n\nThe main exceptions were:\n- helper APIs such as `clean_url_value(...)`\n- programmatic DOM / serializer usage\n- applications explicitly using `html_passthrough=True`\n- applications using custom policies or custom transform pipelines\n\n## Recommended action\n\nUpgrade to `justhtml` `1.15.0`.\n\nIf you cannot upgrade immediately:\n\n- avoid `html_passthrough=True` for untrusted content\n- avoid preserving `\u003cstyle\u003e`, `\u003cmeta http-equiv=\"refresh\"\u003e`, and `\u003cbase href\u003e` in custom policies\n- avoid allowing `ping`, `attributionsrc`, or `imagesrcset` unless you explicitly validate them\n- avoid serializing untrusted programmatic node names, attribute names, or comment data",
  "id": "GHSA-c9vm-hv86-f23r",
  "modified": "2026-04-15T20:44:03Z",
  "published": "2026-04-10T19:20:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-c9vm-hv86-f23r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EmilStenstrom/justhtml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EmilStenstrom/justhtml/compare/v1.14.0...v1.15.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EmilStenstrom/justhtml/releases/tag/v1.15.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "justhtml includes multiple security fixes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.