GHSA-jvf5-rxvv-3mcgLow
TYPO3 HTML Sanitizer allows Cross-site Scripting
🔗 CVE IDs covered (1)
📋 Description
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
Credits to IPC Labs for reporting this vulnerability.
🎯 Affected products1
- composer/typo3/html-sanitizer:< 2.3.2
🔗 References (6)
- https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-jvf5-rxvv-3mcg
- https://nvd.nist.gov/vuln/detail/CVE-2026-47344
- https://github.com/TYPO3/html-sanitizer/commit/bd1a88d9b5a5f67f1120ec41084e9c1a0675641c
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/html-sanitizer/CVE-2026-47344.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2026-006
- https://github.com/advisories/GHSA-jvf5-rxvv-3mcg