Skip to content

chore(deps): bump justhtml from 1.18.0 to 1.22.0 in /requirements#17262

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/requirements/justhtml-1.22.0
Open

chore(deps): bump justhtml from 1.18.0 to 1.22.0 in /requirements#17262
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/requirements/justhtml-1.22.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor

Bumps justhtml from 1.18.0 to 1.22.0.

Release notes

Sourced from justhtml's releases.

Release v1.22.0

Security

  • (Severity: Moderate) Harden to_markdown() inline code-span generation against blank-line breakout. Previously, sanitized text inside <code> or linked <pre> elements could contain a blank line that ended the inline Markdown paragraph and exposed following text as raw HTML/Markdown in compliant renderers.
  • (Severity: Low) Validate the browser-parsed target URL for quoted allowlisted meta-refresh content values. Previously, a refresh target such as url='https://evil.example/x' could be treated as a relative URL by JustHTML while browsers strip the quotes before navigation, bypassing host-restricted explicit UrlPolicy rules when relative URLs were allowed.
  • (Severity: Low) Apply explicit UrlPolicy rules for allowlisted meta-refresh content values. Previously, policies that configured ("meta", "content") as a URL sink still preserved untrusted refresh targets because the redirect URL was embedded inside the attribute value instead of being validated.
  • (Severity: Low) Treat CSS-wide ambient-value keywords such as inherit, revert, revert-layer, and unset as unsafe in inline styles, SVG presentation attributes, and preserved <style> blocks. Previously, custom policies that allowed image-valued CSS properties or SVG URL-function presentation attributes could preserve declarations that resolve to URL-bearing values supplied by surrounding page CSS, bypassing per-declaration URL validation.
  • (Severity: Low) Treat MathML definitionURL attributes as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could allow definitionURL as ordinary text and preserve external-definition URIs without URL validation.
  • (Severity: Low) Treat SVG/XML xml:base attributes as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could allow xml:base as ordinary text and let it change the base URL used by accepted descendant relative URLs without URL validation.
  • (Severity: Low) Treat SVG xlink:href attributes as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could allow xlink:href as ordinary text and preserve browser-fetching URLs without URL validation.
  • (Severity: Low) Treat CSS src(...) references as unsafe in inline styles and preserved <style> blocks. Previously, custom policies that allowed image-valued CSS properties could preserve URL-bearing src(...) values that bypassed per-declaration URL validation.

Release v1.21.0

Changed

  • Allow the public AllowStyleAttrs(...) transform to receive a url_policy so custom transform pipelines can opt in to the same CSS url(...) validation used by sanitizer policies.
  • Preserve explicitly allowlisted foreign-content tags when drop_foreign_namespaces=False, instead of silently removing selected SVG and MathML tags after the allowlist check.
  • Preserve explicitly allowlisted attributes instead of silently removing selected browser-sensitive attributes after the allowlist check.

Security

  • (Severity: Low) Percent-encode UrlProxy.param names when rewriting URLs through a sanitizer proxy. Previously, custom proxy parameter names containing query separators could inject additional proxy query parameters into sanitized output.
  • (Severity: Low) Treat SVG marker presentation attributes as URL-function sinks. Previously, custom foreign-content policies could preserve external marker references without URL validation.
  • (Severity: Low) Treat legacy image attributes dynsrc, lowsrc, and icon as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom policies could allow these attributes as ordinary text attributes and preserve browser-fetching URLs without URL validation.
  • (Severity: Low) Apply sanitizer URL rules to allowed inline CSS url(...) declarations during JustHTML(..., policy=...) sanitization. Previously, the helper path could validate CSS URLs, but the constructor-time sanitizer transform did not pass the policy through and dropped those declarations instead of enforcing the configured URL rule.
  • (Severity: Low) Treat CSS var(...) references as unsafe in inline styles and preserved <style> blocks. Previously, custom policies that allowed CSS properties such as background-image could preserve variable indirection that resolves to a URL at render time, bypassing per-declaration URL validation.
  • (Severity: Low) Treat CSS image(...) references as unsafe in inline styles and preserved <style> blocks. Previously, custom policies that allowed image-valued CSS properties could preserve string-backed image URLs that bypassed per-declaration URL validation.
  • (Severity: Low) Treat URL-bearing <param name="..."> values such as movie, src, url, href, and data as URL sinks that require explicit UrlPolicy rules. Previously, custom policies could allow <param name="movie" value="..."> as ordinary text and preserve plugin/resource URLs without URL validation.
  • (Severity: Low) Treat SVG color-profile IRIs as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could preserve external ICC profile references without URL validation.
  • (Severity: Low) Treat SVG shape-inside and shape-outside presentation attributes as URL-function sinks. Previously, custom foreign-content policies could preserve external shape references without URL validation.

Release v1.20.0

Changed

  • Improve public type hints for DOM query, serialization, sanitization, and streaming APIs so editor autocomplete and downstream type checking see concrete JustHTML node and event types instead of broad Any values.

Security

  • (Severity: Low) Treat legacy browser URL attributes such as archive, codebase, longdesc, manifest, profile, and usemap as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom policies could allow these attributes as ordinary text attributes and preserve browser-fetching URLs without URL validation.
  • (Severity: Low) Report dropped comments and doctypes through the sanitizer policy's unsafe_handling mode. Previously, collect- and raise-mode policies stripped these nodes silently instead of recording or raising security findings.
  • (Severity: Low) Harden programmatic template DOM mutation against cycles through template.template_content. Previously, appending a template into its own template content could make operations such as deep cloning or HTML serialization loop indefinitely.
  • (Severity: Low) Prevent stale collected sanitizer findings from leaking across repeated sanitize(...) and sanitize_dom(...) calls when a collect-mode policy object is reused.
  • (Severity: Moderate) Apply the constructor policy to nested explicit Sanitize() transforms inside Stage(...), and treat staged Sanitize() transforms as the documented sanitization point. Previously, JustHTML(..., policy=custom, sanitize=False, transforms=[Stage([Sanitize()])]) fell back to the default policy and could preserve content outside the caller's custom allowlist.
  • (Severity: Moderate) Apply the constructor policy to explicit Sanitize() transforms that omit their own policy. Previously, JustHTML(..., policy=custom, transforms=[Sanitize()]) fell back to the default policy and could preserve tags, attributes, or URLs outside the caller's custom allowlist.
  • (Severity: Low) Prevent stale collected sanitizer findings from leaking into later JustHTML(..., transforms=[Sanitize(policy=...)], collect_errors=True) results when a collect-mode policy object is reused.

Release v1.19.0

Security

  • (Severity: Moderate) Honor UrlPolicy.default_handling for URL rules that do not set UrlRule.handling. Previously, policies that set default_handling="strip" or "proxy" could still keep validated URLs as live links unless every rule also set its own handling.
  • (Severity: Low) Harden URL sanitization against control characters in otherwise allowed URLs. Previously, values such as https://example.com/a&[#10](https://github.com/emilstenstrom/justhtml/issues/10);b could pass validation and serialize with the embedded control character preserved.
Changelog

Sourced from justhtml's changelog.

[1.22.0] - 2026-05-22

Security

  • (Severity: Moderate) Harden to_markdown() inline code-span generation against blank-line breakout. Previously, sanitized text inside <code> or linked <pre> elements could contain a blank line that ended the inline Markdown paragraph and exposed following text as raw HTML/Markdown in compliant renderers.
  • (Severity: Low) Validate the browser-parsed target URL for quoted allowlisted meta-refresh content values. Previously, a refresh target such as url='https://evil.example/x' could be treated as a relative URL by JustHTML while browsers strip the quotes before navigation, bypassing host-restricted explicit UrlPolicy rules when relative URLs were allowed.
  • (Severity: Low) Apply explicit UrlPolicy rules for allowlisted meta-refresh content values. Previously, policies that configured ("meta", "content") as a URL sink still preserved untrusted refresh targets because the redirect URL was embedded inside the attribute value instead of being validated.
  • (Severity: Low) Treat CSS-wide ambient-value keywords such as inherit, revert, revert-layer, and unset as unsafe in inline styles, SVG presentation attributes, and preserved <style> blocks. Previously, custom policies that allowed image-valued CSS properties or SVG URL-function presentation attributes could preserve declarations that resolve to URL-bearing values supplied by surrounding page CSS, bypassing per-declaration URL validation.
  • (Severity: Low) Treat MathML definitionURL attributes as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could allow definitionURL as ordinary text and preserve external-definition URIs without URL validation.
  • (Severity: Low) Treat SVG/XML xml:base attributes as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could allow xml:base as ordinary text and let it change the base URL used by accepted descendant relative URLs without URL validation.
  • (Severity: Low) Treat SVG xlink:href attributes as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could allow xlink:href as ordinary text and preserve browser-fetching URLs without URL validation.
  • (Severity: Low) Treat CSS src(...) references as unsafe in inline styles and preserved <style> blocks. Previously, custom policies that allowed image-valued CSS properties could preserve URL-bearing src(...) values that bypassed per-declaration URL validation.

[1.21.0] - 2026-05-15

Changed

  • Allow the public AllowStyleAttrs(...) transform to receive a url_policy so custom transform pipelines can opt in to the same CSS url(...) validation used by sanitizer policies.
  • Preserve explicitly allowlisted foreign-content tags when drop_foreign_namespaces=False, instead of silently removing selected SVG and MathML tags after the allowlist check.
  • Preserve explicitly allowlisted attributes instead of silently removing selected browser-sensitive attributes after the allowlist check.

Security

  • (Severity: Low) Percent-encode UrlProxy.param names when rewriting URLs through a sanitizer proxy. Previously, custom proxy parameter names containing query separators could inject additional proxy query parameters into sanitized output.
  • (Severity: Low) Treat SVG marker presentation attributes as URL-function sinks. Previously, custom foreign-content policies could preserve external marker references without URL validation.
  • (Severity: Low) Treat legacy image attributes dynsrc, lowsrc, and icon as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom policies could allow these attributes as ordinary text attributes and preserve browser-fetching URLs without URL validation.
  • (Severity: Low) Apply sanitizer URL rules to allowed inline CSS url(...) declarations during JustHTML(..., policy=...) sanitization. Previously, the helper path could validate CSS URLs, but the constructor-time sanitizer transform did not pass the policy through and dropped those declarations instead of enforcing the configured URL rule.
  • (Severity: Low) Treat CSS var(...) references as unsafe in inline styles and preserved <style> blocks. Previously, custom policies that allowed CSS properties such as background-image could preserve variable indirection that resolves to a URL at render time, bypassing per-declaration URL validation.
  • (Severity: Low) Treat CSS image(...) references as unsafe in inline styles and preserved <style> blocks. Previously, custom policies that allowed image-valued CSS properties could preserve string-backed image URLs that bypassed per-declaration URL validation.
  • (Severity: Low) Treat URL-bearing <param name="..."> values such as movie, src, url, href, and data as URL sinks that require explicit UrlPolicy rules. Previously, custom policies could allow <param name="movie" value="..."> as ordinary text and preserve plugin/resource URLs without URL validation.
  • (Severity: Low) Treat SVG color-profile IRIs as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom foreign-content policies could preserve external ICC profile references without URL validation.
  • (Severity: Low) Treat SVG shape-inside and shape-outside presentation attributes as URL-function sinks. Previously, custom foreign-content policies could preserve external shape references without URL validation.

[1.20.0] - 2026-05-14

Changed

  • Improve public type hints for DOM query, serialization, sanitization, and streaming APIs so editor autocomplete and downstream type checking see concrete JustHTML node and event types instead of broad Any values.

Security

  • (Severity: Low) Treat legacy browser URL attributes such as archive, codebase, longdesc, manifest, profile, and usemap as URL-bearing attributes that require explicit UrlPolicy rules. Previously, custom policies could allow these attributes as ordinary text attributes and preserve browser-fetching URLs without URL validation.
  • (Severity: Low) Report dropped comments and doctypes through the sanitizer policy's unsafe_handling mode. Previously, collect- and raise-mode policies stripped these nodes silently instead of recording or raising security findings.
  • (Severity: Low) Harden programmatic template DOM mutation against cycles through template.template_content. Previously, appending a template into its own template content could make operations such as deep cloning or HTML serialization loop indefinitely.
  • (Severity: Low) Prevent stale collected sanitizer findings from leaking across repeated sanitize(...) and sanitize_dom(...) calls when a collect-mode policy object is reused.
  • (Severity: Moderate) Apply the constructor policy to nested explicit Sanitize() transforms inside Stage(...), and treat staged Sanitize() transforms as the documented sanitization point. Previously, JustHTML(..., policy=custom, sanitize=False, transforms=[Stage([Sanitize()])]) fell back to the default policy and could preserve content outside the caller's custom allowlist.
  • (Severity: Moderate) Apply the constructor policy to explicit Sanitize() transforms that omit their own policy. Previously, JustHTML(..., policy=custom, transforms=[Sanitize()]) fell back to the default policy and could preserve tags, attributes, or URLs outside the caller's custom allowlist.
  • (Severity: Low) Prevent stale collected sanitizer findings from leaking into later JustHTML(..., transforms=[Sanitize(policy=...)], collect_errors=True) results when a collect-mode policy object is reused.

[1.19.0] - 2026-05-09

Security

  • (Severity: Moderate) Honor UrlPolicy.default_handling for URL rules that do not set UrlRule.handling. Previously, policies that set default_handling="strip" or "proxy" could still keep validated URLs as live links unless every rule also set its own handling.
  • (Severity: Low) Harden URL sanitization against control characters in otherwise allowed URLs. Previously, values such as https://example.com/a&[#10](https://github.com/emilstenstrom/justhtml/issues/10);b could pass validation and serialize with the embedded control character preserved.
Commits
  • fd5c908 Release v1.22.0
  • dbb4d7e Prepare changelog for v1.22.0
  • a651773 security: harden inline code-span generation in to_markdown() against blank...
  • 4c33bf1 security: validate quoted allowlisted meta-refresh URLs to prevent bypassing ...
  • db0dac1 security: apply explicit UrlPolicy rules for allowlisted meta-refresh content...
  • d05a2a1 refactor: handle CSS ambient value keywords with !important in sanitization a...
  • e4350fb security: treat CSS-wide ambient-value keywords as unsafe in inline styles an...
  • b51b6a5 refactor: improve URL handling in inline style sanitization and streamline UR...
  • b555d7f refactor: streamline CSS value disallowed functions check for improved readab...
  • 928bc4a security: treat CSS-wide ambient-value keywords as unsafe in inline styles an...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump justhtml from 1.18.0 to 1.22.0 in /requirements
67262d7 
Bumps [justhtml](https://github.com/emilstenstrom/justhtml) from 1.18.0 to 1.22.0.
- [Release notes](https://github.com/emilstenstrom/justhtml/releases)
- [Changelog](https://github.com/EmilStenstrom/justhtml/blob/main/CHANGELOG.md)
- [Commits](EmilStenstrom/justhtml@v1.18.0...v1.22.0)

---
updated-dependencies:
- dependency-name: justhtml
  dependency-version: 1.22.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 25, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 25, 2026 19:02
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants