GHSA-jvf5-rxvv-3mcgLow

TYPO3 HTML Sanitizer allows Cross-site Scripting

Published
June 12, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

Credits to IPC Labs for reporting this vulnerability.

🎯 Affected products1

  • composer/typo3/html-sanitizer:< 2.3.2

🔗 References (6)