GHSA-5VP3-3CG6-2RQ3 JustHTML is vulnerable to XSS via code fence breakout in <pre> content

Summary tomarkdown is vulnerable when serializing attacker-controlled content. The handler emits a fixed three-backtick fenced code block, but writes decoded text content into that fence without choosing a delimiter longer than any backtick run inside the content. An attacker can place backticks...

Cross-site Scripting (XSS)

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the tomarkdown function when serializing attacker-controlled content. An attacker can execute arbitrary HTML or scripts by crafting input containing...

JustHTML is vulnerable to XSS via code fence breakout in <pre> content

Summary tomarkdown is vulnerable when serializing attacker-controlled content. The handler emits a fixed three-backtick fenced code block, but writes decoded text content into that fence without choosing a delimiter longer than any backtick run inside the content. An attacker can place backticks...