Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

GHSA-HHG7-C65M-H7FF Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

PT-2026-44727

Name of the Vulnerable Software and Affected Versions symfony/html-sanitizer versions prior to 6.4 Description The UrlAttributeSanitizer visitor fails to validate the schemes of several URL-valued attributes because they are missing from the getSupportedAttributes list. Specifically, the action...

Cross-site Scripting (XSS)

Overview symfony/html-sanitizer is a Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM. Affected versions of this package are vulnerable to Cross-site Scripting XSS via incomplete URL attribute validation in UrlAttributeSanitizer. An attacke...

CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)

More info at https://symfony.com/cve-2026-45753...