CVE-2022-23499

Name of the Vulnerable Software and Affected Versions typo3/html-sanitizer versions prior to 1.5.0 or 2.1.1

Description The HTML sanitizer is written in PHP and aims to provide XSS-safe markup based on explicitly allowed tags, attributes, and values. However, due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (script, style, noframes, noembed, and iframe) as DOMText nodes, which were not processed and sanitized further. Only custom behaviors using one of those tag names were vulnerable to cross-site scripting.

Recommendations Update to version 1.5.0 or 2.1.1 to fix the issue. As a temporary workaround, consider disabling custom behaviors that use the script, style, noframes, noembed, or iframe tag names until a patch is available. Restrict access to the vulnerable masterminds/html5 package to minimize the risk of exploitation.