Possible XSS bypass if style tag is allowed
Description
HtmlSanitizer before v5.0.372 allows XSS bypass when tag is explicitly allowed; patched in v5.0.372.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HtmlSanitizer before v5.0.372 allows XSS bypass when tag is explicitly allowed; patched in v5.0.372.
Root
Cause
CVE-2020-26293 is a cross-site scripting (XSS) bypass vulnerability in the HtmlSanitizer .NET library prior to version 5.0.372 [1]. The bug occurs specifically when the ` sequence and an attack payload (e.g., ). Before the fix, the sanitizer's SanitizeStyleSheets method output the CSS content without escaping <`, allowing the payload to be injected as raw HTML after sanitization [4].
Impact
If exploited, this bypass allows an attacker to inject arbitrary JavaScript, leading to stored or reflected XSS attacks. Since HtmlSanitizer is used to sanitize user-supplied HTML in .NET applications (often in web forums, comments, or rich-text editors), successful exploitation could compromise the security of the application and its users [2].
Mitigation
The vulnerability has been fixed in HtmlSanitizer version 5.0.372 [3]. Users should update to this version or later. The fix ensures that the < character in style element content is escaped to \3c before being reinjected into the DOM [4]. No workaround is available other than removing the `` tag from the allowed tags list, which is the default configuration [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
HtmlSanitizerNuGet | < 5.0.372 | 5.0.372 |
Affected products
2- Range: < 5.0.372
Patches
1a3a7602a44d4Fix hex escape issue in style element
2 files changed · +14 −1
src/HtmlSanitizer/HtmlSanitizer.cs+1 −1 modified@@ -743,7 +743,7 @@ private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl) else i++; } - styleTag.InnerHtml = styleSheet.ToCss(); + styleTag.InnerHtml = styleSheet.ToCss().Replace("<", "\\3c"); } }
test/HtmlSanitizer.Tests/Tests.cs+13 −0 modified@@ -3201,6 +3201,19 @@ public void PreParsedDocumentWithContextTest() Assert.Equal("<html><head></head><body><div>hi</div></body></html>", returnedDocument.ToHtml()); } + + [Fact] + public void StyleByPassTest() + { + var sanitizer = new HtmlSanitizer(); + + sanitizer.AllowedTags.Add("style"); + + var html = "aaabc<style>x[x='\\3c /style>\\3c img src onerror=alert(1)>']{}</style>"; + var sanitized = sanitizer.Sanitize(html, "http://www.example.com"); + + Assert.Equal("aaabc<style>x[x=\"\\3c/style>\\3cimg src onerror=alert(1)>\"] { }</style>", sanitized); + } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8j9v-h2vp-2hhvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26293ghsaADVISORY
- github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8ghsax_refsource_MISCWEB
- github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372ghsax_refsource_MISCWEB
- github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhvghsax_refsource_CONFIRMWEB
- www.nuget.org/packages/HtmlSanitizerghsaWEB
- www.nuget.org/packages/HtmlSanitizer/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.