VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 21, 2022· Updated Aug 3, 2024

CVE-2022-29577

CVE-2022-29577

Description

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AntiSamy before 1.6.7 allows XSS via HTML tag smuggling in STYLE content due to incomplete fix for CVE-2022-28367.

Vulnerability

OWASP AntiSamy [1] before version 1.6.7 is vulnerable to cross-site scripting (XSS) via HTML tag smuggling within STYLE content. The output serializer fails to properly encode CSS content, allowing crafted input to bypass sanitization. This issue is an incomplete fix for CVE-2022-28367 [2]. Affected versions: all prior to 1.6.7 [4].

Exploitation

An attacker can supply malicious HTML containing a ` tag with smuggled HTML tags. The vulnerability lies in the processStyleTag` method where child node removal was incorrectly iterating forward, leaving extra nodes that could contain malicious content [3]. The fix in commit 32e2735 changes iteration to start from the end to properly remove all but the first child node. No authentication or special privileges are required; the attacker only needs to submit untrusted HTML to an application using AntiSamy.

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript or HTML that bypasses AntiSamy's sanitization, leading to XSS attacks. This can result in session hijacking, data theft, or defacement within the context of the victim's browser.

Mitigation

The vulnerability is fixed in AntiSamy version 1.6.7, released on 2022-04-21 [4]. Users should upgrade to 1.6.7 or later. No workarounds are documented; the fix addresses the incomplete child node removal in the style tag processing [3]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.

References
  1. GitHub - nahsra/antisamy: a library for performing fast, configurable cleansing of HTML coming from untrusted sources
  2. NVD - CVE-2022-29577
  3. Fix child node removal on style tag processing · nahsra/antisamy@32e2735
  4. Release Release version 1.6.7 · nahsra/antisamy

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.owasp.antisamy:antisamyMaven
< 1.6.71.6.7

Affected products

3

Patches

1
32e273507da0

Fix child node removal on style tag processing

https://github.com/nahsra/antisamySebastián PassaroApr 9, 2022via ghsa
commit
2 files changed · +8 6
  • src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java+4 6 modified
    @@ -407,7 +407,8 @@ private boolean processStyleTag(Element ele, Node parentNode) {
         CssScanner styleScanner = new CssScanner(policy, messages, policy.isEmbedStyleSheets());
 
         try {
-            if (ele.getChildNodes().getLength() > 0) {
+            int childNodesCount = ele.getChildNodes().getLength();
+            if (childNodesCount > 0) {
                 StringBuffer toScan = new StringBuffer();
 
                 for (int i = 0; i < ele.getChildNodes().getLength(); i++) {
@@ -428,29 +429,26 @@ private boolean processStyleTag(Element ele, Node parentNode) {
                  * would normally be left with an empty style tag and
                  * break all CSS. To prevent that, we have this check.
                  */
-
                 String cleanHTML = cr.getCleanHTML();
                 cleanHTML = cleanHTML == null || cleanHTML.equals("") ? "/* */" : cleanHTML;
 
                 ele.getFirstChild().setNodeValue(cleanHTML);
                 /*
                  * Remove every other node after cleaning CSS, there will
                  * be only one node in the end, as it always should have.
+                 * Starting from the end due to list updating on the fly.
                  */
-                for (int i = 1; i < ele.getChildNodes().getLength(); i++) {
+                for (int i = childNodesCount - 1; i >= 1; i--) {
                     Node childNode = ele.getChildNodes().item(i);
                     ele.removeChild(childNode);
                 }
             }
-
         } catch (DOMException | ScanException | ParseException | NumberFormatException e) {
-
             /*
              * ParseException shouldn't be possible anymore, but we'll leave it
              * here because I (Arshan) am hilariously dumb sometimes.
              * Batik can throw NumberFormatExceptions (see bug #48).
              */
-
             addError(ErrorMessageUtil.ERROR_CSS_TAG_MALFORMED, new Object[]{HTMLEntityEncoder.htmlEntityEncode(ele.getFirstChild().getNodeValue())});
             parentNode.removeChild(ele);
             return true;
  • src/test/java/org/owasp/validator/html/test/AntiSamyTest.java+4 0 modified
    @@ -1713,10 +1713,14 @@ public void testSmuggledTagsInStyleContent() throws ScanException, PolicyExcepti
         Policy revised = policy.cloneWithDirective(Policy.USE_XHTML,"true");
         assertThat(as.scan("<style/>b<![cdata[</style><a href=javascript:alert(1)>test", revised, AntiSamy.DOM).getCleanHTML(), not(containsString("javascript")));
         assertThat(as.scan("<style/>b<![cdata[</style><a href=javascript:alert(1)>test", revised, AntiSamy.SAX).getCleanHTML(), not(containsString("javascript")));
+        assertThat(as.scan("<select<style/>k<input<</>input/onfocus=alert(1)>", revised, AntiSamy.DOM).getCleanHTML(), not(containsString("input")));
+        assertThat(as.scan("<select<style/>k<input<</>input/onfocus=alert(1)>", revised, AntiSamy.SAX).getCleanHTML(), not(containsString("input")));
 
         Policy revised2 = policy.cloneWithDirective(Policy.USE_XHTML,"false");
         assertThat(as.scan("<select<style/>W<xmp<script>alert(1)</script>", revised2, AntiSamy.DOM).getCleanHTML(), not(containsString("script")));
         assertThat(as.scan("<select<style/>W<xmp<script>alert(1)</script>", revised2, AntiSamy.SAX).getCleanHTML(), not(containsString("script")));
+        assertThat(as.scan("<select<style/>k<input<</>input/onfocus=alert(1)>", revised2, AntiSamy.DOM).getCleanHTML(), not(containsString("input")));
+        assertThat(as.scan("<select<style/>k<input<</>input/onfocus=alert(1)>", revised2, AntiSamy.SAX).getCleanHTML(), not(containsString("input")));
     }
 
     @Test(timeout = 3000)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.