TYPO3 Html-Sanitizer Cross-Site Scripting Bypass Vulnerability

A vulnerability in TYPO3 Html-Sanitizer prior to version 2.3.2 allows for a cross-site scripting (XSS) bypass. When the ALLOW_INSECURE_RAW_TEXT option is enabled, the sanitizer fails to recognize whitespace-variant closing tags, such as '</style >', as invalid. Browsers accept these tags as legitimate, which can lead to content escaping the intended sanitization. This flaw allows for the evasion of XSS prevention mechanisms within the affected version of the sanitizer.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, enable the ALLOW_INSECURE_RAW_TEXT option in TYPO3 Html-Sanitizer versions prior to 2.3.2. Then, introduce a whitespace-variant closing tag, such as '</style >', within raw text content. The sanitizer will not recognize the tag as a closing tag, allowing the content to escape sanitization. This can be tested by injecting a script payload, which will be executed, demonstrating the XSS bypass.

Remediation

Users can update to TYPO3 Html-Sanitizer version 2.3.2 or later, where this vulnerability has been addressed.