Whitespace-Variant XSS Bypass in TYPO3 html-sanitizer

Executive Summary

This vulnerability occurs in the TYPO3 html-sanitizer library when the ALLOW_INSECURE_RAW_TEXT option is enabled. It involves improper handling of closing HTML tags that contain whitespace variations, such as </style\t>. These tags are not recognized by the sanitizer as valid end tags but are accepted by browsers, allowing malicious content to bypass the sanitization process.

As a result, attackers can bypass the cross-site scripting (XSS) prevention mechanism by injecting content that escapes sanitization, potentially leading to execution of malicious scripts.

The fix ensures that the HTML5 parser correctly recognizes these whitespace-variant closing tags as valid end tags and prevents raw-text passthrough inside elements like <noscript>, where browsers might otherwise parse content as raw text and allow malicious payloads to escape sanitization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass the HTML sanitization process and inject malicious scripts into web pages, leading to cross-site scripting (XSS) attacks.

Such XSS attacks can result in unauthorized actions performed on behalf of users, theft of sensitive information like cookies or session tokens, defacement of websites, or distribution of malware.

If your application uses TYPO3 html-sanitizer with the vulnerable configuration, it may be exposed to these risks until updated to a fixed version.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-47344 vulnerability, update the TYPO3 html-sanitizer library to version 2.3.2 or later, which includes fixes that properly recognize whitespace-variant closing tags as valid end tags and prevent raw-text passthrough inside <noscript> elements.

These fixes involve changes to the parser, tokenizer, and sanitizer components to ensure that raw-text content is properly sanitized and that insecure raw-text behavior is denied in specific contexts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when the ALLOW_INSECURE_RAW_TEXT option is enabled in the TYPO3 html-sanitizer library, allowing whitespace-variant closing tags (e.g., </style\t>) to bypass sanitization.

To detect this vulnerability on your system, you should check the configuration of the html-sanitizer library to see if ALLOW_INSECURE_RAW_TEXT is enabled.

Additionally, you can test if your system is vulnerable by attempting to sanitize HTML content containing whitespace-variant closing tags such as </style\t> and observing if the sanitizer fails to recognize them as valid end tags.

There are no specific commands provided in the available resources, but a practical approach is to create test HTML inputs with such whitespace-variant closing tags and verify if the sanitizer properly removes or escapes them.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows bypassing the cross-site scripting (XSS) prevention mechanism in the TYPO3 html-sanitizer, potentially enabling malicious scripts to execute in users' browsers.

Such XSS vulnerabilities can lead to unauthorized access to sensitive user data or session hijacking, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could negatively impact compliance with these standards by exposing protected data through client-side attacks.

Useful 0 Not Useful 0