| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1nnk-vww8-vyh7 |
| vulnerability_id |
VCID-1nnk-vww8-vyh7 |
| summary |
justhtml introduces denial-of-service hardening
## Summary
`justhtml` `1.18.0` fixes multiple low-severity denial-of-service hardening issues in CSS selector handling and linkification.
These issues are availability concerns. They do not allow script execution, data disclosure, or sanitizer bypass by themselves.
## Affected versions
- `justhtml` `< 1.18.0`
## Fixed version
- `justhtml` `1.18.0` released on May 4, 2026
## Impact
### CSS selector handling
Applications that evaluate attacker-controlled selector strings, or that run selector-based transform pipelines over attacker-controlled documents, could consume disproportionate CPU or memory.
The affected selector patterns included oversized selectors, large selector lists, oversized compound selectors, long combinator chains, deeply nested functional pseudo-classes such as `:not(...)`, repeated attribute/class token matching over large values, repeated sibling or ancestor scans, repeated positional pseudo-class work, and `:contains(...)` over large descendant text.
Programmatically constructed malformed DOM graphs could also trigger non-terminating or duplicate traversal in some selector paths, including cyclic/shared child graphs, cyclic parent chains, and cyclic text traversal for `:contains(...)`.
### Linkification
Attacker-controlled text containing punctuation-heavy input or URL candidates ending in long runs of unmatched closing brackets could cause repeated rescanning and consume disproportionate CPU when linkification was enabled.
## Default configuration
Ordinary sanitization of parsed HTML with the default `JustHTML(..., sanitize=True)` configuration is not expected to expose untrusted users to selector injection, because selectors are normally supplied by application code.
The main risk areas are:
- applications that accept selector strings from untrusted users and pass them to `query(...)`, `matches(...)`, or selector-based transforms
- custom transform or sanitization pipelines that run selector matching over very large untrusted documents
- applications that construct or mutate DOM trees programmatically from untrusted structure
- applications that enable `Linkify(...)` over attacker-controlled text
## Fixes in 1.18.0
`1.18.0` adds generalized selector resource controls and removes several repeated-work hot paths:
- shared selector limits for parse and match operations
- structural caps for selector length, selector lists, compound selectors, complex selectors, and parse depth
- match-operation and string-byte budgets
- per-query matcher state for caches and cycle guards
- precomputed or cached ancestor, sibling, positional, attribute-token, text-content, `:not(...)`, `:empty`, and `:nth-child(...)` work
- consistent enforcement across public parsing, `query(...)`, tag-only query fast paths, transform selector compilation, and sanitization transform matching
- linkification hardening for punctuation-heavy inputs and trailing bracket trimming
## CWE mapping
- CWE-400: Uncontrolled Resource Consumption
- CWE-407: Inefficient Algorithmic Complexity
- CWE-835: Loop with Unreachable Exit Condition
## Recommended action
Upgrade to `justhtml` `1.18.0`.
If users cannot upgrade immediately:
- do not pass untrusted selector strings to `query(...)`, `matches(...)`, or selector-based transforms
- restrict the size of untrusted documents before selector matching or linkification
- avoid constructing programmatic DOM graphs from untrusted structure
- avoid enabling `Linkify(...)` on very large attacker-controlled text
## Credit
Discovered during an internal security review of `justhtml`. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-r8cj-3554-33mr
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1nnk-vww8-vyh7 |
|
| 1 |
| url |
VCID-82ee-j3d7-uucn |
| vulnerability_id |
VCID-82ee-j3d7-uucn |
| summary |
JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script)
## Summary
Sanitized DOM trees can be unsafe to serialize when a custom policy allows raw-text elements such as `<style>` or `<script>`.
The issue affects DOM trees that are constructed or modified programmatically and then passed through `sanitize_dom()` with a policy that keeps these elements. Text nodes inside `<style>` and `<script>` are serialized literally, so attacker-controlled text containing the matching closing tag sequence can break out of the raw-text context and inject HTML into the serialized output.
The default sanitization policy is not affected because it drops the contents of `style` and `script`.
## Details
The root cause is in HTML serialization of raw-text elements. In serialize.py, text children of `script` and `style` are emitted verbatim:
```python
_LITERAL_TEXT_SERIALIZATION_ELEMENTS = frozenset({"script", "style"})
def _serialize_text_for_parent(text: str | None, parent_name: str | None) -> str:
if not text:
return ""
if parent_name in _LITERAL_TEXT_SERIALIZATION_ELEMENTS:
return text
return _escape_text(text) |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-qvc2-mg72-jjhx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-82ee-j3d7-uucn |
|
| 2 |
| url |
VCID-cdux-h8qv-bqan |
| vulnerability_id |
VCID-cdux-h8qv-bqan |
| summary |
Multiple security fixes in justhtml
## Summary
`justhtml` `1.16.0` fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.
Most of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:
- programmatic DOM input to `sanitize()` or `sanitize_dom()`
- reused or mutated sanitization policy objects
- custom policies that preserve foreign namespaces such as SVG or MathML
## Affected versions
- `justhtml` `<= 1.15.0`
## Fixed version
- `justhtml` `1.16.0` released on April 12, 2026
## Impact
### Policy reuse and mutation
Nested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.
### In-memory sanitization gaps
Programmatic DOM sanitization could miss dangerous mixed-case tag names such as `ScRiPt` or `StYlE`, and custom `drop_content_tags` values such as `{"SCRIPT"}` could silently fail to drop dangerous subtrees.
### Serialization injection
Crafted programmatic doctype names could serialize into active markup before the document body.
### Foreign-namespace policy bypasses
Custom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:
- animation elements such as `<set>` and `<animate>` that mutate already-sanitized attributes after sanitization
- presentation attributes such as `fill`, `clip-path`, `mask`, `marker-start`, and `cursor` containing external `url(...)` references
- programmatic DOM trees that claim `namespace="html"` but serialize as `<svg>` or `<math>`, bypassing foreign-content checks
### Rawtext hardening gap
Mixed-case programmatic `style` or `script` nodes could bypass rawtext hardening and preserve active stylesheet content such as remote `@import` rules.
## Default configuration
Most of these issues did **not** affect the normal `JustHTML(..., sanitize=True)` path for ordinary parsed HTML.
The main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.
## Recommended action
Upgrade to `justhtml` `1.16.0`.
If you cannot upgrade immediately:
- do not mutate `DEFAULT_POLICY`, `DEFAULT_DOCUMENT_POLICY`, or nested policy internals
- avoid reusing policy objects after mutating nested state
- avoid preserving SVG or MathML for untrusted input
- avoid preserving `style` or `script` in custom policies for untrusted input
- avoid serializing untrusted programmatic doctypes or DOM trees
## Credit
Discovered during an internal security review of `justhtml`. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-4p64-v8f5-r2gx
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cdux-h8qv-bqan |
|
| 3 |
| url |
VCID-mbkb-5x56-u7ej |
| vulnerability_id |
VCID-mbkb-5x56-u7ej |
| summary |
JustHTML has a Sanitizer Bypass (in Markdown)
## Summary
`to_markdown()` does not sufficiently escape text content that looks like HTML. As a result, untrusted input that is safe in `to_html()` can become raw HTML in Markdown output.
This is not specific to tokenizer raw-text states like `<title>`, `<noscript>`, or `<plaintext>`, although those states can trigger the behavior. The root cause is broader: Markdown text serialization leaves angle brackets unescaped in text nodes.
## Details
When converting a parsed document to Markdown, text nodes are escaped for a small set of Markdown metacharacters, but HTML-significant characters such as `<` and `>` are preserved. That means content parsed as text, including entity-decoded text or text produced by RCDATA/RAWTEXT-style parsing, can be emitted into Markdown as raw HTML.
Examples of affected input include:
- Text produced from entity-decoded input such as `<script>...</script>`
- Text inside elements like `<title>`, `<textarea>`, `<noscript>` (when parsed as raw text), and `<plaintext>`
This is distinct from actual `<script>` or `<style>` elements in the DOM. Those are already dropped by default in `to_markdown()` unless `html_passthrough=True`.
## Proof of Concept
### General case
```python
from justhtml import JustHTML
doc = JustHTML("<p><img src=x onerror=alert(1)></p>", fragment=True)
print(doc.to_html())
print()
print(doc.to_markdown()) |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-3rcm-vjrc-p45j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mbkb-5x56-u7ej |
|
| 4 |
| url |
VCID-seu1-1kkh-kkas |
| vulnerability_id |
VCID-seu1-1kkh-kkas |
| summary |
JustHTML is vulnerable to XSS via code fence breakout in <pre> content
## Summary
`to_markdown()` is vulnerable when serializing attacker-controlled `<pre>` content. The `<pre>` handler emits a fixed three-backtick fenced code block, but writes decoded text content into that fence without choosing a delimiter longer than any backtick run inside the content.
An attacker can place backticks and HTML-like text inside a sanitized `<pre>` element so that the generated Markdown closes the fence early and leaves raw HTML outside the code block. When that Markdown is rendered by a CommonMark/GFM-style renderer that allows raw HTML, the HTML executes.
This is a bypass of the v1.12.0 Markdown hardening. That fix escaped HTML-significant characters for regular text nodes, but `<pre>` uses a separate serialization path and does not apply the same protection.
## Details
The vulnerable `<pre>` Markdown path:
- extracts decoded text from the `<pre>` subtree
- opens a fenced block with a fixed delimiter of ``````
- writes the decoded text directly into the output
- closes with another fixed ``````
Because the fence length is fixed, attacker-controlled content containing a backtick run of length 3 or more can terminate the code block. If the content also contains decoded HTML-like text such as `<img ...>`, that text appears outside the fence in the resulting Markdown and is treated as raw HTML by downstream Markdown renderers.
The issue is not that HTML-like text appears inside code blocks. The issue is that the serializer allows attacker-controlled `<pre>` text to break out of the fixed fence.
## Reproduction
```python
from justhtml import JustHTML
payload = "<pre>```\n<img src=x onerror=alert(1)></pre>"
doc = JustHTML(payload, fragment=True) # default sanitize=True
print(doc.to_html(pretty=False))
# <pre>```
# <img src=x onerror=alert(1)></pre>
print(doc.to_markdown())
# ```
# ```
# <img src=x onerror=alert(1)>
# ```
```
Rendered as CommonMark/GFM-style Markdown, that output is interpreted as:
1. Line 1 opens a fenced code block
2. Line 2 closes it
3. Line 3 is raw HTML outside the fence
4. Line 4 opens a new fence
## Impact
Applications that treat `JustHTML(..., sanitize=True).to_markdown()` output as safe for direct rendering in Markdown contexts may be exposed to XSS, depending on the downstream Markdown renderer's raw-HTML handling.
## Root Cause
The `<pre>` Markdown serializer uses a fixed fence instead of selecting a delimiter longer than the longest backtick run in the content.
## Fix
When serializing `<pre>` content to Markdown, choose a fence length longer than any backtick run present in the code block content, with a minimum length of 3. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-5vp3-3cg6-2rq3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-seu1-1kkh-kkas |
|
| 5 |
| url |
VCID-sfgz-pcf7-1ka4 |
| vulnerability_id |
VCID-sfgz-pcf7-1ka4 |
| summary |
justhtml has sanitization bypass in custom policies and programmatic DOM
## Summary
`justhtml` `1.17.0` fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.
Most of these issues affected advanced or custom configurations rather than the default safe path.
## Affected versions
- `justhtml` `<= 1.16.0`
## Fixed version
- `justhtml` `1.17.0` released on April 19, 2026
## Impact
### Custom SVG / MathML sanitization policies
Custom policies that preserved foreign namespaces could allow dangerous content to survive sanitization, including:
- active HTML integration points such as SVG `<foreignObject>`, MathML `<annotation-xml encoding="text/html">`, SVG `<title>` / `<desc>`, and MathML text integration points
- mutation-XSS parser-differential payloads that looked inert in memory but became active HTML after reparse
- SVG `filter="url(...)"` attributes that could trigger external fetches
These issues affected:
- `JustHTML(..., sanitize=True)` with custom foreign-namespace policies
- `sanitize()` / `sanitize_dom()`
- low-level terminal `Sanitize(...)` transform execution
### Preserved `<style>` handling
Constructor-time sanitization and explicit `Sanitize(...)` transforms did not fully match `sanitize()` / `sanitize_dom()` when custom policies preserved `<style>`.
That could leave resource-loading CSS such as `@import` or `background-image:url(...)` in sanitized output from HTML string input.
### Programmatic DOM serialization
Programmatic `script`, `style`, and `Comment(...)` nodes could still serialize into active markup in some edge cases.
This could affect applications that build or mutate DOM trees directly before calling `to_html()` or `to_markdown(html_passthrough=True)`.
### Cache mutation and DOM cycle handling
Two lower-severity hardening fixes were included:
- compiled sanitize-pipeline caches could be mutated after warming and weaken later sanitization
- parent/child cycles in programmatic DOM trees could cause infinite loops in operations such as `to_html()` and `sanitize_dom()`
## Default configuration
Most of the issues above did **not** affect ordinary parsed HTML with the default `JustHTML(..., sanitize=True)` configuration.
The main risk areas were:
- custom policies that preserve SVG or MathML
- custom policies that preserve `<style>`
- programmatic DOM construction or mutation
- low-level direct sanitizer/transform APIs
## Recommended action
Upgrade to `justhtml` `1.17.0`.
If users cannot upgrade immediately:
- avoid preserving SVG or MathML for untrusted input
- avoid preserving `<style>` for untrusted input
- avoid mutating programmatic DOM trees with untrusted `script`, `style`, or comment content
- avoid mutating warmed policy internals or sanitizer caches
## Credit
Discovered during an internal security review of `justhtml`. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-vrx2-77f2-ww34
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sfgz-pcf7-1ka4 |
|
| 6 |
| url |
VCID-wpb8-14qx-r7b1 |
| vulnerability_id |
VCID-wpb8-14qx-r7b1 |
| summary |
Uncontrolled recursion DoS in JustHTML() via deeply nested HTML
### Summary
justhtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, `JustHTML.__init__()` always reaches `TreeBuilder.finish()`, which unconditionally calls `_populate_selectedcontent()`. That function recursively traverses the DOM via `_find_elements()` / `_find_element()` without a depth bound, allowing attacker-controlled deeply nested input to trigger an unhandled `RecursionError` on CPython. Depending on the host application's exception handling, this can abort parsing, fail requests, or terminate a worker/process.
### Details
`TreeBuilder.finish()` ([`treebuilder.py#L476`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L476)) unconditionally calls `_populate_selectedcontent(self.document)` at [line 494](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L494). `_populate_selectedcontent()` ([`treebuilder.py#L1243`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L1243)) calls `_find_elements()` ([`treebuilder.py#L1280`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L1280)) to recursively search the DOM tree for `<select>` elements:
```python
def _find_elements(self, node: Any, name: str, result: list[Any]) -> None:
"""Recursively find all elements with given name."""
if node.name == name:
result.append(node)
if node.has_child_nodes():
for child in node.children:
self._find_elements(child, name, result) # recursive call
```
When the DOM tree depth exceeds CPython's default recursion limit (1000), this raises an unhandled `RecursionError`. The full call path is:
`JustHTML(html)` → `tokenizer.run()` → `tree_builder.finish()` → `_populate_selectedcontent(document)` → `_find_elements(root, "select", selects)` (recursive)
Deeply nested DOM trees can be produced by nesting `<div>` tags ~1000 levels deep. On CPython with the default recursion limit, approximately 11 KB of `<div>` nesting is sufficient to trigger the error. The exact depth threshold is environment-dependent (CPython version, recursion limit setting, call stack depth at invocation).
Additional recursive functions are affected on already-parsed deep trees:
- `Node.clone_node(deep=True)` ([`node.py#L523`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L523)) — called during sanitization
- `_node_to_html()` ([`serialize.py#L580`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L580)) — used by `to_html(pretty=True)`
- `_to_markdown_walk()` ([`node.py#L817`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L817)) — used by `to_markdown()`
Note: the library already uses iterative traversal in several comparable functions (e.g., `_node_to_html_compact` at [`serialize.py#L197`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L197), `_to_text_collect` at [`node.py#L161`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L161), `_is_blocky_element` at [`serialize.py#L405`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L405), `apply_to_children` at [`transforms.py#L1642`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/transforms.py#L1642)), demonstrating the correct pattern.
### PoC
```python
from justhtml import JustHTML
html = "<div>" * 1000 + "x" + "</div>" * 1000
doc = JustHTML(html) # raises RecursionError
```
Test environment: CPython 3.14.3, macOS ARM64 (Apple Silicon), justhtml 1.9.1, default recursion limit (1000)
| Input | Size | Result |
|-------|------|--------|
| `<div>` × 500 | 5,501 bytes | OK |
| `<div>` × 800 | 8,801 bytes | OK |
| `<div>` × 1000 | 11,001 bytes | RecursionError |
The error occurs with both `sanitize=True` (default) and `sanitize=False`.
### Impact
An attacker who can supply HTML for parsing can trigger an unhandled `RecursionError` during `JustHTML()` construction. The error is triggered during construction and is not avoided by `justhtml` configuration alone; mitigating it requires host-application exception handling or input constraints. Depending on the host application's exception handling, this can abort parsing, fail requests, or terminate a worker/process.
### Suggested Fix
Convert the recursive tree traversal functions to iterative implementations using an explicit stack. Example for `_find_elements`:
```python
def _find_elements(self, node: Any, name: str, result: list[Any]) -> None:
stack = [node]
while stack:
current = stack.pop()
if current.name == name:
result.append(current)
if current.has_child_nodes():
stack.extend(reversed(current.children))
```
The same conversion should be applied to `_find_element`, `clone_node(deep=True)`, `_node_to_html()`, and `_to_markdown_walk()`. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-v7cf-c9rm-wm3j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wpb8-14qx-r7b1 |
|
| 7 |
| url |
VCID-xbwj-dann-yudk |
| vulnerability_id |
VCID-xbwj-dann-yudk |
| summary |
justhtml includes multiple security fixes
## Summary
`justhtml` `1.15.0` includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.
These issues have different impact levels and do not all affect the default configuration in the same way.
## Affected versions
- `justhtml` `<= 1.14.0`
## Fixed version
- `justhtml` `1.15.0` released on April 9, 2026
## Impact overview
### Helper and serialization issues
These issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path.
- `JustHTML.clean_url_value(...)` and `clean_url_in_js_string(...)` could accept URL values such as `javascript:...`, which became active `javascript:` URLs after HTML attribute parsing.
- URL sanitization could treat values like `\\evil.example/x` or `/\\evil.example/x` as safe relative URLs even though browsers could resolve them as remote requests.
- Malformed bracketed hosts such as `https://[evil.example]/x` could raise exceptions and crash sanitization when host allowlists were used.
- Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML.
- Programmatic HTML comments containing `-->` could break out of the comment and inject live markup.
### Markdown passthrough issue
- `to_markdown(html_passthrough=True)` could reintroduce active HTML from sanitized `<textarea>` content by emitting a raw closing `</textarea>` sequence.
### Custom policy issues
These issues affected custom policies more than the default safe configuration.
- `a[ping]` was handled as a single URL even though browsers interpret it as a space-separated URL list.
- `attributionsrc` was not treated as URL-bearing and could preserve attacker-controlled reporting endpoints.
- `link[imagesrcset]` was not treated as URL-bearing and could preserve attacker-controlled image candidates.
- Preserved `<meta http-equiv="refresh">` tags could keep redirect targets without URL-policy enforcement.
- Preserved `<base href>` tags could rewrite how later relative URLs resolved in the browser.
- Preserved `<style>` blocks could keep resource-loading CSS such as `@import`, `url(...)`, or `image-set(...)`.
- Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as `DropAttrs(...)`, `DropUrlAttrs(...)`, `AllowStyleAttrs(...)`, and `MergeAttrs(...)`.
## Default configuration
Most of the custom-policy issues above did **not** affect the default `JustHTML(..., sanitize=True)` behavior.
The main exceptions were:
- helper APIs such as `clean_url_value(...)`
- programmatic DOM / serializer usage
- applications explicitly using `html_passthrough=True`
- applications using custom policies or custom transform pipelines
## Recommended action
Upgrade to `justhtml` `1.15.0`.
If you cannot upgrade immediately:
- avoid `html_passthrough=True` for untrusted content
- avoid preserving `<style>`, `<meta http-equiv="refresh">`, and `<base href>` in custom policies
- avoid allowing `ping`, `attributionsrc`, or `imagesrcset` unless you explicitly validate them
- avoid serializing untrusted programmatic node names, attribute names, or comment data |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-c9vm-hv86-f23r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xbwj-dann-yudk |
|
|
|---|