OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
github.com/nahsra/antisamy
github.com/nahsra/antisamy/pull/87
github.com/nahsra/antisamy/releases/tag/v1.6.4
nvd.nist.gov/vuln/detail/CVE-2021-35043
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpujul2022.html
www.oracle.com/security-alerts/cpuoct2021.html