If you have explicitly allowed the <style>
tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the <style>
tag so there is no risk if you have not explicitly allowed the <style>
tag.
The problem has been fixed in version 5.0.372.
Remove the <style>
tag from the set of allowed tags.
If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer
This issue was discovered by Michal Bentkowski of Securitum.