php · typo3/html-sanitizerHeads-up
typo3/html-sanitizer: Whitespace-variant closing tags bypass sanitization when ALLOW_INSECURE_RAW_TEXT is enabled
When ALLOW_INSECURE_RAW_TEXT is enabled, the sanitizer fails to recognize whitespace-variant closing tags (e.
What changed
When ALLOW_INSECURE_RAW_TEXT is enabled, the sanitizer fails to recognize whitespace-variant closing tags (e.g., </style\t>) as valid end tags, while browsers accept them. This allows subsequent content to escape sanitization.
Who it affects
Users of typo3/html-sanitizer before version 2.3.2 who enable ALLOW_INSECURE_RAW_TEXT.
What to do today
Upgrade typo3/html-sanitizer to version 2.3.2 or later.
The trail
Collected→
Audited→
Written→
Published