GHSA-r758-8hxw-4845: justhtml: Mutation XSS with custom foreign-namespace sanitization policies

April 8, 2026

A parser-differential / mutation XSS issue was found in justhtml when using a custom sanitization policy that preserves foreign namespaces such as SVG or MathML.

Under these custom settings, specially crafted input could sanitize into HTML that looked safe at first, but became unsafe when parsed again by a browser or another HTML parser.

References

github.com/EmilStenstrom/justhtml
github.com/EmilStenstrom/justhtml/commit/8adc4dfe31723dc522f44338f9bd98381c92b076
github.com/EmilStenstrom/justhtml/releases/tag/v1.14.0
github.com/EmilStenstrom/justhtml/security/advisories/GHSA-r758-8hxw-4845
github.com/advisories/GHSA-r758-8hxw-4845

Code Behaviors & Features

Detect and mitigate GHSA-r758-8hxw-4845 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →