Bypass of Cross-Site Scripting Protection in typo3/html-sanitizer
Description
The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of typo3/html-sanitizer. This issue has been addressed in versions 1.0.7 and 2.0.16 of the typo3/html-sanitizer package. Users are advised to upgrade. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A parsing issue in the upstream masterminds/html5 library allows XSS bypass in typo3/html-sanitizer via specially crafted HTML comments.
Vulnerability
Description The typo3/html-sanitizer package, designed to produce XSS-safe markup by allowing only explicitly permitted tags, attributes, and values, is affected by a parsing issue originating from its upstream dependency, masterminds/html5 [1]. Due to this parsing flaw, malicious markup used in a sequence with special HTML comments cannot be properly filtered and sanitized [1]. This allows an attacker to bypass the cross-site scripting (XSS) protection mechanism that the sanitizer is intended to enforce [1].
Exploitation
Method The vulnerability can be exploited by crafting input that includes special HTML comment sequences which are not correctly parsed by the masterminds/html5 library [1]. Because the sanitizer relies on this upstream parser to interpret and normalize HTML before applying its allow list, a parsing error at that stage can cause the sanitizer to fail to detect or neutralize malicious payloads [1]. The attack does not require advanced authentication; it can be delivered via any vector that submits user-controllable HTML content to an application using the vulnerable sanitizer.
Impact
Successful exploitation permits an attacker to inject arbitrary JavaScript or HTML that the sanitizer was supposed to block. This leads to stored or reflected cross-site scripting (XSS) attacks, potentially enabling session theft, credential harvesting, or defacement within the context of the affected application [1]. The impact is assessed as high because the sanitizer is a security boundary — its bypass undermines the core security promise of the library.
Mitigation
The issue has been addressed in versions 1.0.7 and 2.0.16 of the typo3/html-sanitizer package [1]. Users are strongly advised to upgrade to these or later versions. No workarounds are available [1]. The root cause lies in the upstream masterminds/html5 package, which may require separate updates; however, the sanitizer package itself has been patched to mitigate the parsing discrepancy [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/html-sanitizerPackagist | >= 1.0.0, < 1.0.7 | 1.0.7 |
typo3/html-sanitizerPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.32 | 10.4.32 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.32 | 10.4.32 |
typo3/cmsPackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
Affected products
4- ghsa-coords3 versions
>= 10.0.0, < 10.4.32+ 2 more
- (no CPE)range: >= 10.0.0, < 10.4.32
- (no CPE)range: >= 10.0.0, < 10.4.32
- (no CPE)range: >= 1.0.0, < 1.0.7
- TYPO3/html-sanitizerv5Range: >= 1.0.0, < 1.0.7
Patches
160bfdc7f9b39[SECURITY] Correctly handle comment end bang state (#86)
2 files changed · +23 −1
composer.json+1 −1 modified@@ -16,7 +16,7 @@ }, "require": { "ext-dom": "*", - "masterminds/html5": "^2.7", + "masterminds/html5": "^2.7.6", "php": "^7.2 || ^8.0", "psr/log": "^1.0 || ^2.0 || ^3.0" },
tests/ScenarioTest.php+22 −0 modified@@ -21,6 +21,28 @@ class ScenarioTest extends TestCase { + public static function allTagsAreRemovedOnMissingDeclarationDataProvider(): array + { + return [ + ['<div class="content">value</div><span class="content">value</span>', ''], + ['<!--any--><div class="content">value</div>', '<!--any-->'], + ['<!--any--!><div class="content">value</div>', '<!--any-->'], + ]; + } + + /** + * @test + * @dataProvider allTagsAreRemovedOnMissingDeclarationDataProvider + */ + public function allTagsAreRemovedOnMissingDeclaration(string $payload, string $expectation): void + { + $behavior = new Behavior(); + $sanitizer = new Sanitizer( + new CommonVisitor($behavior) + ); + self::assertSame($expectation, $sanitizer->sanitize($payload)); + } + public static function tagFlagsAreProcessedDataProvider(): array { return [
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-47m6-46mj-p235ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36020ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36020.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36020.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/html-sanitizer/CVE-2022-36020.yamlghsaWEB
- github.com/TYPO3/html-sanitizer/commit/60bfdc7f9b394d0236e16ee4cea8372a7defa493ghsax_refsource_MISCWEB
- github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235ghsax_refsource_CONFIRMWEB
- packagist.org/packages/masterminds/html5ghsax_refsource_MISCWEB
- packagist.org/packages/typo3/html-sanitizerghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-core-sa-2022-011ghsaWEB
News mentions
0No linked articles in our index yet.