VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 8, 2026

CVE-2026-47345

CVE-2026-47345

Description

TYPO3 html-sanitizer versions prior to 2.3.2 are vulnerable to XSS due to improper encoding of namespace attributes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 html-sanitizer versions prior to 2.3.2 are vulnerable to XSS due to improper encoding of namespace attributes.

Vulnerability

Namespace attributes were not encoded correctly during HTML serialization in the typo3/html-sanitizer library before version 2.3.2. This allowed for bypassing the cross-site scripting prevention mechanisms. [1]

Exploitation

An attacker could craft malicious HTML input containing specially formatted namespace attributes. When this input is processed by a vulnerable version of the html-sanitizer library, the improper encoding allows for the injection of arbitrary script code, bypassing security filters. [1]

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to cross-site scripting (XSS) attacks, potentially resulting in session hijacking, data theft, or defacement of the affected web page. [1]

Mitigation

The vulnerability is fixed in version 2.3.2 of the typo3/html-sanitizer library. Users should update to version 2.3.2 or later to address this issue. [1]

References
  1. [SECURITY] Encode namespace attributes · TYPO3/html-sanitizer@8b5d0be

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
8b5d0be44ded

[SECURITY] Encode namespace attributes

https://github.com/TYPO3/html-sanitizerBenjamin FranzkeApr 27, 2026via nvd-ref
commit
2 files changed · +22 0
  • src/Serializer/Rules.php+17 0 modified
    @@ -221,6 +221,23 @@ protected function isVoid(?DOMNode $domNode): bool
             && Elements::isA($domNode->localName, Elements::VOID_TAG);
     }
 
+    /**
+     * Write the namespace attributes.
+     *
+     * @param \DOMNode $ele The element being written.
+     */
+    #[\Override]
+    protected function namespaceAttrs($ele)
+    {
+        $xpath = new \DOMXPath($ele->ownerDocument);
+
+        foreach ($xpath->query('namespace::*[not(.=../../namespace::*)]', $ele) as $nsNode) {
+            if (!in_array($nsNode->nodeValue, $this->implicitNamespaces)) {
+                $this->wr(' ')->wr($nsNode->nodeName)->wr('="')->wr($this->enc($nsNode->nodeValue, true))->wr('"');
+            }
+        }
+    }
+
     protected function hasAncestorWithName(?DOMNode $domNode, string $ancestorName): bool
     {
         if (!$domNode instanceof DOMNode) {
  • tests/CommonBuilderTest.php+5 0 modified
    @@ -313,6 +313,11 @@ public static function isSanitizedDataProvider(): iterable
         yield '#941' => [
             '<?xml >s<img src=x onerror=alert(1)> ?>',
             '&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
+
+        ];
+        yield '#950' => [
+            '<div xmlns:x="&quot;&gt;&lt;img src=x onerror=alert(document.domain)&gt;">text</div>',
+            '<div xmlns:x="&quot;&gt;&lt;img src=x onerror=alert(document.domain)&gt;">text</div>',
         ];
     }

Vulnerability mechanics

Root cause

"Namespace attributes are not encoded correctly during HTML serialization."

Attack vector

The vulnerability allows bypassing cross-site scripting prevention mechanisms by manipulating namespace attributes. An attacker could craft HTML input containing specially formatted namespace attributes that are not properly escaped by the sanitizer. This could lead to the injection of malicious scripts that are then executed in the context of the user's browser.

Affected code

The vulnerability lies within the HTML serialization logic of the `typo3/html-sanitizer` library. Specifically, the `namespaceAttrs` method, as shown in the patch [patch_id=5247381], was modified to correctly encode namespace attributes. Prior to this change, these attributes were not being properly escaped, leading to potential script injection.

What the fix does

The patch introduces a new method `namespaceAttrs` to correctly handle and encode namespace attributes during HTML serialization [patch_id=5247381]. This method iterates through namespace declarations and ensures that attribute values, specifically the node values of namespace attributes, are properly escaped using the `enc` function. This prevents malicious content within these attributes from being interpreted as executable code.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.