When guest HTML contains an element that is not permitted by Caja's whitelist, it is renamed to a custom element (e.g. `<title>` becomes `<caja-v-title>`) so that it may exist in the DOM without having any of the side effects of the original name. However, such renaming could change how the text content of the element is parsed — in particular, if the old name was a "raw text" or "CDATA" element in which the content may contain `<` characters interpreted as text rather than markup. In this case, the result of the renaming is that the HTML passed to the browser contains unfiltered markup.
## Impact and Advice
This is a complete breach of the Caja DOM sandbox. Applications of Caja which provide a DOM to the guest should immediately upgrade to Caja v6014 https://github.com/google/caja/releases/tag/v6014
Applications of Caja which do not provide a DOM to the guest are not affected.
Applications of the standalone html-sanitizer which utilize tag renaming are also potentially affected and will be protected by the update.