CVE-2021-35043
Description
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AntiSamy before 1.6.4 fails to properly sanitize HTML attributes, allowing XSS via encoded colon in javascript: URLs.
Vulnerability
OWASP AntiSamy versions before 1.6.4 are vulnerable to cross-site scripting (XSS) when using the HTML output serializer. The issue lies in the handling of HTML attributes: an attacker can bypass sanitization by encoding the colon character in a javascript: URL using HTML numeric entities such as :. This allows injection of arbitrary JavaScript. The XHTML serializer is not affected. [1][2]
Exploitation
An attacker can craft a malicious HTML attribute, for example an href value, containing javascript::alert(1). When AntiSamy processes this input using the HTML output serializer, it fails to recognize the encoded colon as part of a dangerous scheme and outputs the attribute without proper sanitization. The attacker does not require authentication; the attack is triggered when a victim views the sanitized HTML in a browser. [2][4]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of cookies, session tokens, or other sensitive data, as well as defacement or redirection to malicious sites. The impact is consistent with stored or reflected XSS, depending on how the sanitized output is used. [2]
Mitigation
The vulnerability is fixed in AntiSamy version 1.6.4, released on July 19, 2021 [3]. Users should upgrade to at least version 1.6.4. No workarounds are documented; the fix addresses the encoding bypass in the HTML output serializer. [3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.owasp.antisamy:antisamyMaven | >= 1.5.7, < 1.6.4 | 1.6.4 |
Affected products
3- OWASP/AntiSamydescription
- Range: <1.6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-9c8w-jrw3-q2c3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-35043ghsaADVISORY
- github.com/nahsra/antisamy/pull/87ghsax_refsource_MISCWEB
- github.com/nahsra/antisamy/releases/tag/v1.6.4ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.