OWASP Java HTML Sanitizer Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in OWASP Java HTML Sanitizer version 20240325.1. The issue arises when the HtmlPolicyBuilder allows 'noscript' and 'style' tags, with 'allowTextIn' enabled for the style tag. In such cases, if a payload is crafted to exploit the CSS handling and includes tags not specified in the HTML policy, it can lead to XSS. The vulnerability is linked to how browsers interpret 'noscript' tags after sanitization, potentially allowing script execution.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create an HtmlPolicyBuilder that permits 'p', 'noscript', and 'style' tags, while allowing text in the style tag. Then, introduce a payload that includes a script tag, which should be stripped away during the sanitization process. After sanitization, the output will still contain the script tag, indicating a successful XSS exploit.