Description

justhtml introduces denial-of-service hardening

Summary

justhtml 1.18.0 fixes multiple low-severity denial-of-service hardening issues in CSS selector handling and linkification.

These issues are availability concerns. They do not allow script execution, data disclosure, or sanitizer bypass by themselves.

Affected versions

justhtml < 1.18.0

Fixed version

justhtml 1.18.0 released on May 4, 2026

Impact

CSS selector handling

Applications that evaluate attacker-controlled selector strings, or that run selector-based transform pipelines over attacker-controlled documents, could consume disproportionate CPU or memory.

The affected selector patterns included oversized selectors, large selector lists, oversized compound selectors, long combinator chains, deeply nested functional pseudo-classes such as :not(...), repeated attribute/class token matching over large values, repeated sibling or ancestor scans, repeated positional pseudo-class work, and :contains(...) over large descendant text.

Programmatically constructed malformed DOM graphs could also trigger non-terminating or duplicate traversal in some selector paths, including cyclic/shared child graphs, cyclic parent chains, and cyclic text traversal for :contains(...).

Linkification

Attacker-controlled text containing punctuation-heavy input or URL candidates ending in long runs of unmatched closing brackets could cause repeated rescanning and consume disproportionate CPU when linkification was enabled.

Default configuration

Ordinary sanitization of parsed HTML with the default JustHTML(..., sanitize=True) configuration is not expected to expose untrusted users to selector injection, because selectors are normally supplied by application code.

The main risk areas are:

applications that accept selector strings from untrusted users and pass them to query(...), matches(...), or selector-based transforms

custom transform or sanitization pipelines that run selector matching over very large untrusted documents

applications that construct or mutate DOM trees programmatically from untrusted structure

applications that enable Linkify(...) over attacker-controlled text

Fixes in 1.18.0

1.18.0 adds generalized selector resource controls and removes several repeated-work hot paths:

shared selector limits for parse and match operations

structural caps for selector length, selector lists, compound selectors, complex selectors, and parse depth

match-operation and string-byte budgets

per-query matcher state for caches and cycle guards

precomputed or cached ancestor, sibling, positional, attribute-token, text-content, :not(...), :empty, and :nth-child(...) work

consistent enforcement across public parsing, query(...), tag-only query fast paths, transform selector compilation, and sanitization transform matching

linkification hardening for punctuation-heavy inputs and trailing bracket trimming

CWE mapping

CWE-400: Uncontrolled Resource Consumption

CWE-407: Inefficient Algorithmic Complexity

CWE-835: Loop with Unreachable Exit Condition

Recommended action

Upgrade to justhtml 1.18.0.

If users cannot upgrade immediately:

do not pass untrusted selector strings to query(...), matches(...), or selector-based transforms

restrict the size of untrusted documents before selector matching or linkification

avoid constructing programmatic DOM graphs from untrusted structure

avoid enabling Linkify(...) on very large attacker-controlled text

Credit

Discovered during an internal security review of justhtml.

Mitigation

Aliases

References