Name of the Vulnerable Software and Affected Versions: PHP-Textile versions 4.1.2 and older

Description: A persistent XSS issue exists in the image link handling of PHP-Textile when running the parser in restricted mode. This mode is expected to sanitize input, allowing safe handling of user-input. However, in restricted mode, version 4.1.2 of the library fails to sanitize or validate user-controllable href input in image links, allowing any link protocol or JavaScript links to be used. An attacker can add malicious JavaScript code to the page, which is executed when an unsuspecting user clicks the link.

Recommendations: For PHP-Textile versions 4.1.2 and older, update to version 4.1.3, which disallows the use of JavaScript in image links when the parser is run in restricted mode. To enable restricted mode, use the Parser::setRestricted() method prior to calling the parse method.