justhtml 1.14.0

Direct Vulnerabilities

Known vulnerabilities in the justhtml package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Modification of Assumed-Immutable Data (MAID) justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data (MAID) through the `sanitize()`, `sanitize_dom()`, and `JustHTML(..., sanitize=True)` paths in `src/justhtml/sanitize.py`. An attacker can bypass intended HTML filtering by mutating nested policy state, such as `allowed_attributes` or `url_policy.allow_rules` after a sanitizer has been compiled, causing later sanitization calls to keep using a previously compiled, more permissive policy and preserve dangerous markup or URLs. The same issue affects exported default policy objects process-wide, so weakening `DEFAULT_POLICY.url_policy.allow_rules[("a", "href")].allowed_schemes` can alter subsequent default sanitization and let malicious links survive in user-visible output. Note: The maintainer aggregated multiple security fixes into one advisory; a detailed explanation of the individual impacts is detailed in the maintainer's advisory. How to fix Modification of Assumed-Immutable Data (MAID)? Upgrade `justhtml` to version 1.16.0 or higher.	[,1.16.0)
M Cross-site Scripting (XSS) justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of URL sanitization helpers, HTML serialization, Markdown passthrough, and custom sanitization-policy edge cases. An attacker can execute arbitrary JavaScript, inject malicious HTML, cause denial of service, or bypass security policies by supplying specially crafted input to functions such as `clean_url_value`, `clean_url_in_js_string`, or by leveraging programmatic DOM construction, malformed URLs, or unsafe attribute and comment serialization. Note: The maintainer aggregated several issues that have different impact levels and do not all affect the default configuration in the same way. A detailed explanation of each change is provided in the fix changelog and the maintainer's advisory. How to fix Cross-site Scripting (XSS)? Upgrade `justhtml` to version 1.15.0 or higher.	[,1.15.0)

Vulnerability

Vulnerable Version

Modification of Assumed-Immutable Data (MAID)

justhtml is an A pure Python HTML5 parser that just works.

Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data (MAID) through the sanitize(), sanitize_dom(), and JustHTML(..., sanitize=True) paths in src/justhtml/sanitize.py. An attacker can bypass intended HTML filtering by mutating nested policy state, such as allowed_attributes or url_policy.allow_rules after a sanitizer has been compiled, causing later sanitization calls to keep using a previously compiled, more permissive policy and preserve dangerous markup or URLs. The same issue affects exported default policy objects process-wide, so weakening DEFAULT_POLICY.url_policy.allow_rules[("a", "href")].allowed_schemes can alter subsequent default sanitization and let malicious links survive in user-visible output.

Note: The maintainer aggregated multiple security fixes into one advisory; a detailed explanation of the individual impacts is detailed in the maintainer's advisory.

How to fix Modification of Assumed-Immutable Data (MAID)?

Upgrade justhtml to version 1.16.0 or higher.

[,1.16.0)

Cross-site Scripting (XSS)

justhtml is an A pure Python HTML5 parser that just works.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of URL sanitization helpers, HTML serialization, Markdown passthrough, and custom sanitization-policy edge cases. An attacker can execute arbitrary JavaScript, inject malicious HTML, cause denial of service, or bypass security policies by supplying specially crafted input to functions such as clean_url_value, clean_url_in_js_string, or by leveraging programmatic DOM construction, malformed URLs, or unsafe attribute and comment serialization.

Note: The maintainer aggregated several issues that have different impact levels and do not all affect the default configuration in the same way. A detailed explanation of each change is provided in the fix changelog and the maintainer's advisory.

How to fix Cross-site Scripting (XSS)?

Upgrade justhtml to version 1.15.0 or higher.

[,1.15.0)

justhtml@1.14.0

A pure Python HTML5 parser that just works.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically