Problem
DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.
Solution
Update to typo3/html-sanitizer versions 1.5.3 or 2.1.4 that fix the problem described.
Credits
Thanks to Yaniv Nizry and Niels Dossche who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue.
References
- TYPO3-CORE-SA-2023-007
- Disclosure & PoC (embargoed +90 days)