GHSA-r8cj-3554-33mr

Summary

justhtml 1.18.0 fixes multiple low-severity denial-of-service hardening issues in CSS selector handling and linkification.

These issues are availability concerns. They do not allow script execution, data disclosure, or sanitizer bypass by themselves.

Affected versions

• justhtml < 1.18.0

Fixed version

• justhtml 1.18.0 released on May 4, 2026

Impact

CSS selector handling

Applications that evaluate attacker-controlled selector strings, or that run selector-based transform pipelines over attacker-controlled documents, could consume disproportionate CPU or memory.

The affected selector patterns included oversized selectors, large selector lists, oversized compound selectors, long combinator chains, deeply nested functional pseudo-classes such as :not(...), repeated attribute/class token matching over large values, repeated sibling or ancestor scans, repeated positional pseudo-class work, and :contains(...) over large descendant text.

Programmatically constructed malformed DOM graphs could also trigger non-terminating or duplicate traversal in some selector paths, including cyclic/shared child graphs, cyclic parent chains, and cyclic text traversal for :contains(...).

Linkification

Attacker-controlled text containing punctuation-heavy input or URL candidates ending in long runs of unmatched closing brackets could cause repeated rescanning and consume disproportionate CPU when linkification was enabled.

Default configuration

Ordinary sanitization of parsed HTML with the default JustHTML(..., sanitize=True) configuration is not expected to expose untrusted users to selector injection, because selectors are normally supplied by application code.

The main risk areas are:

• applications that accept selector strings from untrusted users and pass them to query(...), matches(...), or selector-based transforms
• custom transform or sanitization pipelines that run selector matching over very large untrusted documents
• applications that construct or mutate DOM trees programmatically from untrusted structure
• applications that enable Linkify(...) over attacker-controlled text

Fixes in 1.18.0

1.18.0 adds generalized selector resource controls and removes several repeated-work hot paths:

• shared selector limits for parse and match operations
• structural caps for selector length, selector lists, compound selectors, complex selectors, and parse depth
• match-operation and string-byte budgets
• per-query matcher state for caches and cycle guards
• precomputed or cached ancestor, sibling, positional, attribute-token, text-content, :not(...), :empty, and :nth-child(...) work
• consistent enforcement across public parsing, query(...), tag-only query fast paths, transform selector compilation, and sanitization transform matching
• linkification hardening for punctuation-heavy inputs and trailing bracket trimming

CWE mapping

• CWE-400: Uncontrolled Resource Consumption
• CWE-407: Inefficient Algorithmic Complexity
• CWE-835: Loop with Unreachable Exit Condition

Recommended action

Upgrade to justhtml 1.18.0.

If users cannot upgrade immediately:

• do not pass untrusted selector strings to query(...), matches(...), or selector-based transforms
• restrict the size of untrusted documents before selector matching or linkification
• avoid constructing programmatic DOM graphs from untrusted structure
• avoid enabling Linkify(...) on very large attacker-controlled text

Credit

Discovered during an internal security review of justhtml.