GHSA-qvc2-mg72-jjhx: JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script)

Sanitized DOM trees can be unsafe to serialize when a custom policy allows raw-text elements such as <style> or <script>.

The issue affects DOM trees that are constructed or modified programmatically and then passed through sanitize_dom() with a policy that keeps these elements. Text nodes inside <style> and <script> are serialized literally, so attacker-controlled text containing the matching closing tag sequence can break out of the raw-text context and inject HTML into the serialized output.

The default sanitization policy is not affected because it drops the contents of style and script.