GHSA-HHG7-C65M-H7FF
Vulnerability from github – Published: 2026-05-28 16:43 – Updated: 2026-05-28 16:43Description
symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is decided by the element/attribute allow-list; validating the scheme of a URL attribute is solely UrlAttributeSanitizer's responsibility.
UrlAttributeSanitizer::getSupportedAttributes() returned only ['src', 'href', 'lowsrc', 'background', 'ping']. The HTML URL-valued attributes action (<form>), formaction (<button>, <input type=image>), poster (<video>) and cite (<blockquote>, <q>, <del>, <ins>) were missing from that list, so DomVisitor never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a javascript: URI in it survived sanitisation.
Conditions for exploitation
allowSafeElements() is not affected: <form> and the formaction attribute are both flagged unsafe in W3CReference, and allowElement('form') resets the element's attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:
<form>+action:allowElement('form', '*'),allowElement('form', ['action', …]),allowElement('form')->allowAttribute('action', 'form'), or theallowStaticElements()preset (whose docblock already warns the output "may still contain other dangerous behaviors");<button>/<input type=image>+formaction:allowElement(…, '*'),allowAttribute('formaction', …), orallowStaticElements();<blockquote>/<q>/<del>/<ins>+cite, or<video>+poster: similarly via'*',allowAttribute(), orallowStaticElements().
For the action / formaction cases the victim must additionally submit the form or click the button.
Resolution
UrlAttributeSanitizer now also handles action, formaction, cite and poster. action / formaction / cite are validated against the link schemes (like <a href>, so javascript: is rejected and data: is dropped too); poster is validated against the media schemes (so data: images keep working). The behaviour of <a href> and <img src> is unchanged.
One behaviour change to be aware of: a relative action="/submit" on an allowed <form> is now dropped by default (the same as <a href> / <img src> today); ->allowRelativeLinks() re-enables it.
The patch for this issue is available here for branch 6.4.
Credits
Symfony would like to thank Himanshu Anand and Rémi Pelloux for reporting the issue and Nicolas Grekas for providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45753"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T16:43:27Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`symfony/html-sanitizer` lets applications sanitise untrusted HTML. `UrlAttributeSanitizer` is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is *kept* is decided by the element/attribute allow-list; validating the *scheme* of a URL attribute is solely `UrlAttributeSanitizer`\u0027s responsibility.\n\n`UrlAttributeSanitizer::getSupportedAttributes()` returned only `[\u0027src\u0027, \u0027href\u0027, \u0027lowsrc\u0027, \u0027background\u0027, \u0027ping\u0027]`. The HTML URL-valued attributes `action` (`\u003cform\u003e`), `formaction` (`\u003cbutton\u003e`, `\u003cinput type=image\u003e`), `poster` (`\u003cvideo\u003e`) and `cite` (`\u003cblockquote\u003e`, `\u003cq\u003e`, `\u003cdel\u003e`, `\u003cins\u003e`) were missing from that list, so `DomVisitor` never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a `javascript:` URI in it survived sanitisation.\n\n### Conditions for exploitation\n\n`allowSafeElements()` is **not** affected: `\u003cform\u003e` and the `formaction` attribute are both flagged unsafe in `W3CReference`, and `allowElement(\u0027form\u0027)` resets the element\u0027s attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:\n\n* `\u003cform\u003e` + `action`: `allowElement(\u0027form\u0027, \u0027*\u0027)`, `allowElement(\u0027form\u0027, [\u0027action\u0027, \u2026])`, `allowElement(\u0027form\u0027)-\u003eallowAttribute(\u0027action\u0027, \u0027form\u0027)`, or the `allowStaticElements()` preset (whose docblock already warns the output \"may still contain other dangerous behaviors\");\n* `\u003cbutton\u003e` / `\u003cinput type=image\u003e` + `formaction`: `allowElement(\u2026, \u0027*\u0027)`, `allowAttribute(\u0027formaction\u0027, \u2026)`, or `allowStaticElements()`;\n* `\u003cblockquote\u003e` / `\u003cq\u003e` / `\u003cdel\u003e` / `\u003cins\u003e` + `cite`, or `\u003cvideo\u003e` + `poster`: similarly via `\u0027*\u0027`, `allowAttribute()`, or `allowStaticElements()`.\n\nFor the `action` / `formaction` cases the victim must additionally submit the form or click the button.\n\n### Resolution\n\n`UrlAttributeSanitizer` now also handles `action`, `formaction`, `cite` and `poster`. `action` / `formaction` / `cite` are validated against the link schemes (like `\u003ca href\u003e`, so `javascript:` is rejected and `data:` is dropped too); `poster` is validated against the media schemes (so `data:` images keep working). The behaviour of `\u003ca href\u003e` and `\u003cimg src\u003e` is unchanged.\n\nOne behaviour change to be aware of: a relative `action=\"/submit\"` on an allowed `\u003cform\u003e` is now dropped by default (the same as `\u003ca href\u003e` / `\u003cimg src\u003e` today); `-\u003eallowRelativeLinks()` re-enables it.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/26a598fcfc4f903cc55ff202f642ee621839825e) for branch 6.4.\n\n### Credits\n\nSymfony would like to thank Himanshu Anand and R\u00e9mi Pelloux for reporting the issue and Nicolas Grekas for providing the fix.",
"id": "GHSA-hhg7-c65m-h7ff",
"modified": "2026-05-28T16:43:28Z",
"published": "2026-05-28T16:43:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/26a598fcfc4f903cc55ff202f642ee621839825e"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/html-sanitizer/CVE-2026-45753.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45753.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45753"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony\u0027s HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite \u2014 `javascript`: URI Survives Sanitization (XSS)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.