<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Justhtml - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/justhtml/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/justhtml/feed.xml" rel="self" type="application/rss+xml"/><item><title>JustHTML XSS Vulnerability via Code Fence Breakout</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-justhtml-xss/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-justhtml-xss/</guid><description>JustHTML versions 1.12.0 and earlier are vulnerable to cross-site scripting (XSS) by manipulating the contents of a &lt;pre&gt; element to inject HTML code outside of the intended code block, potentially leading to arbitrary JavaScript execution.</description><content:encoded><![CDATA[<p>JustHTML, a Python library for HTML manipulation, is susceptible to a cross-site scripting (XSS) vulnerability in versions 1.12.0 and earlier. This flaw occurs during the <code>to_markdown()</code> serialization of attacker-controlled <code>&lt;pre&gt;</code> content. The vulnerability allows an attacker to inject arbitrary HTML code outside the intended fenced code block by exploiting a weakness in how the library handles backticks within the <code>&lt;pre&gt;</code> tag. This bypasses the v1.12.0 Markdown hardening, which escaped HTML-significant characters for regular text nodes but not for the separate <code>&lt;pre&gt;</code> serialization path. This can lead to the execution of arbitrary JavaScript code when the resulting Markdown is rendered by a CommonMark/GFM-style renderer that allows raw HTML.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts malicious HTML content containing a <code>&lt;pre&gt;</code> tag with embedded backticks and HTML-like text.</li>
<li>The attacker supplies this crafted HTML to the <code>JustHTML()</code> constructor with <code>sanitize=True</code>.</li>
<li>The <code>to_markdown()</code> method is called on the <code>JustHTML</code> object.</li>
<li>The <code>to_markdown()</code> method processes the <code>&amp;lt;pre&gt;</code> tag and generates a fenced code block with a fixed delimiter of ``````` (three backticks).</li>
<li>Due to the fixed delimiter, the attacker-controlled content, containing a backtick run of length 3 or more, terminates the code block prematurely.</li>
<li>The remaining HTML-like text, such as <code>&lt;img src=x onerror=alert(1)&gt;</code>, appears outside the fenced code block in the resulting Markdown output.</li>
<li>The vulnerable markdown is rendered by a CommonMark/GFM-style renderer.</li>
<li>The injected HTML is treated as raw HTML, leading to the execution of the embedded JavaScript code.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to inject arbitrary HTML and JavaScript code into applications that use <code>JustHTML(..., sanitize=True).to_markdown()</code> and render the output in Markdown contexts. This may lead to XSS, where the attacker can execute malicious scripts in the context of the victim's browser.  The number of affected applications is currently unknown, but any application using JustHTML for Markdown generation with user-supplied HTML is potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to a version of <code>justhtml</code> greater than 1.12.0 to remediate the vulnerability as advised in the advisory.</li>
<li>Sanitize user-provided HTML input before passing it to <code>JustHTML</code> to mitigate the risk of malicious code injection.</li>
<li>If upgrading is not immediately feasible, consider implementing custom escaping logic for <code>&lt;pre&gt;</code> content before passing it to <code>to_markdown()</code> to prevent code fence breakouts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>justhtml</category><category>markdown</category></item></channel></rss>