GHSA-r758-8hxw-4845: justhtml: Mutation XSS with custom foreign-namespace sanitization policies
Summary
A mutation XSS (cross-site scripting, where attackers inject malicious code through HTML) vulnerability was found in the justhtml library when using custom sanitization policies that preserve foreign namespaces like SVG or MathML. Specially crafted input could pass through sanitization appearing safe, but then become dangerous when a browser or parser processes it again. This only affects users with custom policies; the default settings are safe.
Solution / Mitigation
Upgrade to justhtml version 1.14.0 or later. If you cannot upgrade immediately, keep `drop_foreign_namespaces=True`, avoid allowlisting foreign namespaces for untrusted input, and avoid allowlisting raw-text containers such as `<style>` in custom policies.
Classification
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-r758-8hxw-4845
First tracked: April 8, 2026 at 02:01 AM
Classified by LLM (prompt v3) · confidence: 75%