GHSA-3rcm-vjrc-p45j: JustHTML has a Sanitizer Bypass (in Markdown)

March 18, 2026

to_markdown() does not sufficiently escape text content that looks like HTML. As a result, untrusted input that is safe in to_html() can become raw HTML in Markdown output.

This is not specific to tokenizer raw-text states like <title>, <noscript>, or <plaintext>, although those states can trigger the behavior. The root cause is broader: Markdown text serialization leaves angle brackets unescaped in text nodes.

References

github.com/EmilStenstrom/justhtml
github.com/EmilStenstrom/justhtml/security/advisories/GHSA-3rcm-vjrc-p45j
github.com/advisories/GHSA-3rcm-vjrc-p45j

Code Behaviors & Features

Detect and mitigate GHSA-3rcm-vjrc-p45j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →