GHSA-HHG7-C65M-H7FF

Vulnerability from github – Published: 2026-05-28 16:43 – Updated: 2026-05-28 16:43
VLAI
Summary
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
Details

Description

symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is decided by the element/attribute allow-list; validating the scheme of a URL attribute is solely UrlAttributeSanitizer's responsibility.

UrlAttributeSanitizer::getSupportedAttributes() returned only ['src', 'href', 'lowsrc', 'background', 'ping']. The HTML URL-valued attributes action (<form>), formaction (<button>, <input type=image>), poster (<video>) and cite (<blockquote>, <q>, <del>, <ins>) were missing from that list, so DomVisitor never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a javascript: URI in it survived sanitisation.

Conditions for exploitation

allowSafeElements() is not affected: <form> and the formaction attribute are both flagged unsafe in W3CReference, and allowElement('form') resets the element's attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:

  • <form> + action: allowElement('form', '*'), allowElement('form', ['action', …]), allowElement('form')->allowAttribute('action', 'form'), or the allowStaticElements() preset (whose docblock already warns the output "may still contain other dangerous behaviors");
  • <button> / <input type=image> + formaction: allowElement(…, '*'), allowAttribute('formaction', …), or allowStaticElements();
  • <blockquote> / <q> / <del> / <ins> + cite, or <video> + poster: similarly via '*', allowAttribute(), or allowStaticElements().

For the action / formaction cases the victim must additionally submit the form or click the button.

Resolution

UrlAttributeSanitizer now also handles action, formaction, cite and poster. action / formaction / cite are validated against the link schemes (like <a href>, so javascript: is rejected and data: is dropped too); poster is validated against the media schemes (so data: images keep working). The behaviour of <a href> and <img src> is unchanged.

One behaviour change to be aware of: a relative action="/submit" on an allowed <form> is now dropped by default (the same as <a href> / <img src> today); ->allowRelativeLinks() re-enables it.

The patch for this issue is available here for branch 6.4.

Credits

Symfony would like to thank Himanshu Anand and Rémi Pelloux for reporting the issue and Nicolas Grekas for providing the fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/html-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/html-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/html-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T16:43:27Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\n`symfony/html-sanitizer` lets applications sanitise untrusted HTML. `UrlAttributeSanitizer` is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is *kept* is decided by the element/attribute allow-list; validating the *scheme* of a URL attribute is solely `UrlAttributeSanitizer`\u0027s responsibility.\n\n`UrlAttributeSanitizer::getSupportedAttributes()` returned only `[\u0027src\u0027, \u0027href\u0027, \u0027lowsrc\u0027, \u0027background\u0027, \u0027ping\u0027]`. The HTML URL-valued attributes `action` (`\u003cform\u003e`), `formaction` (`\u003cbutton\u003e`, `\u003cinput type=image\u003e`), `poster` (`\u003cvideo\u003e`) and `cite` (`\u003cblockquote\u003e`, `\u003cq\u003e`, `\u003cdel\u003e`, `\u003cins\u003e`) were missing from that list, so `DomVisitor` never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a `javascript:` URI in it survived sanitisation.\n\n### Conditions for exploitation\n\n`allowSafeElements()` is **not** affected: `\u003cform\u003e` and the `formaction` attribute are both flagged unsafe in `W3CReference`, and `allowElement(\u0027form\u0027)` resets the element\u0027s attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:\n\n* `\u003cform\u003e` + `action`: `allowElement(\u0027form\u0027, \u0027*\u0027)`, `allowElement(\u0027form\u0027, [\u0027action\u0027, \u2026])`, `allowElement(\u0027form\u0027)-\u003eallowAttribute(\u0027action\u0027, \u0027form\u0027)`, or the `allowStaticElements()` preset (whose docblock already warns the output \"may still contain other dangerous behaviors\");\n* `\u003cbutton\u003e` / `\u003cinput type=image\u003e` + `formaction`: `allowElement(\u2026, \u0027*\u0027)`, `allowAttribute(\u0027formaction\u0027, \u2026)`, or `allowStaticElements()`;\n* `\u003cblockquote\u003e` / `\u003cq\u003e` / `\u003cdel\u003e` / `\u003cins\u003e` + `cite`, or `\u003cvideo\u003e` + `poster`: similarly via `\u0027*\u0027`, `allowAttribute()`, or `allowStaticElements()`.\n\nFor the `action` / `formaction` cases the victim must additionally submit the form or click the button.\n\n### Resolution\n\n`UrlAttributeSanitizer` now also handles `action`, `formaction`, `cite` and `poster`. `action` / `formaction` / `cite` are validated against the link schemes (like `\u003ca href\u003e`, so `javascript:` is rejected and `data:` is dropped too); `poster` is validated against the media schemes (so `data:` images keep working). The behaviour of `\u003ca href\u003e` and `\u003cimg src\u003e` is unchanged.\n\nOne behaviour change to be aware of: a relative `action=\"/submit\"` on an allowed `\u003cform\u003e` is now dropped by default (the same as `\u003ca href\u003e` / `\u003cimg src\u003e` today); `-\u003eallowRelativeLinks()` re-enables it.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/26a598fcfc4f903cc55ff202f642ee621839825e) for branch 6.4.\n\n### Credits\n\nSymfony would like to thank Himanshu Anand and R\u00e9mi Pelloux for reporting the issue and Nicolas Grekas for providing the fix.",
  "id": "GHSA-hhg7-c65m-h7ff",
  "modified": "2026-05-28T16:43:28Z",
  "published": "2026-05-28T16:43:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/26a598fcfc4f903cc55ff202f642ee621839825e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/html-sanitizer/CVE-2026-45753.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45753.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2026-45753"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony\u0027s HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite \u2014 `javascript`: URI Survives Sanitization (XSS)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…