Tag
The `lxml_html_clean.Cleaner` Python library, and the `lxml.html.clean` module in `lxml`, fails to strip `javascript:`, `vbscript:`, and `data:` URLs from namespaced attributes like `xlink:href` when configured with `safe_attrs_only=False`. This vulnerability, identified as CVE-2026-49825, is a form of stored Cross-Site Scripting (XSS) that allows malicious JavaScript to bypass sanitization, enabling client-side code execution if an application processes and renders untrusted HTML containing such payloads.