GHSA-hhg7-c65m-h7ff
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
Details
### Description
`symfony/html-sanitizer` lets applications sanitise untrusted HTML. `UrlAttributeSanitizer` is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is *kept* is decided by the element/attribute allow-list; validating the *scheme* of a URL attribute is solely `UrlAttributeSanitizer`'s responsibility.
`UrlAttributeSanitizer::getSupportedAttributes()` returned only `['src', 'href', 'lowsrc', 'background', 'ping']`. The HTML URL-valued attributes `action` (`<form>`), `formaction` (`<button>`, `<input type=image>`), `poster` (`<video>`) and `cite` (`<blockquote>`, `<q>`, `<del>`, `<ins>`) were missing from that list, so `DomVisitor` never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a `javascript:` URI in it survived sanitisation.
### Conditions for exploitation
`allowSafeElements()` is **not** affected: `<form>` and the `formaction` attribute are both flagged unsafe in `W3CReference`, and `allowElement('form')` resets the element's attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:
* `<form>` + `action`: `allowElement('form', '*')`, `allowElement('form', ['action', …])`, `allowElement('form')->allowAttribute('action', 'form')`, or the `allowStaticElements()` preset (whose docblock already warns the output "may still contain other dangerous behaviors"); * `<button>` / `<input type=image>` + `formaction`: `allowElement(…, '*')`, `allowAttribute('formaction', …)`, or `allowStaticElements()`; * `<blockquote>` / `<q>` / `<del>` / `<ins>` + `cite`, or `<video>` + `poster`: similarly via `'*'`, `allowAttribute()`, or `allowStaticElements()`.
For the `action` / `formaction` cases the victim must additionally submit the form or click the button.
### Resolution
`UrlAttributeSanitizer` now also handles `action`, `formaction`, `cite` and `poster`. `action` / `formaction` / `cite` are validated against the link schemes (like `<a href>`, so `javascript:` is rejected and `data:` is dropped too); `poster` is validated against the media schemes (so `data:` images keep working). The behaviour of `<a href>` and `<img src>` is unchanged.
One behaviour change to be aware of: a relative `action="/submit"` on an allowed `<form>` is now dropped by default (the same as `<a href>` / `<img src>` today); `->allowRelativeLinks()` re-enables it.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/26a598fcfc4f903cc55ff202f642ee621839825e) for branch 6.4.
### Credits
Symfony would like to thank Himanshu Anand and Rémi Pelloux for reporting the issue and Nicolas Grekas for providing the fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
6.1.0 Fixed in: 6.4.40 composer require symfony/html-sanitizer:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/html-sanitizer:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/html-sanitizer:^8.0.12 6.1.0 Fixed in: 6.4.40 composer require symfony/symfony:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff [WEB]
- https://github.com/symfony/symfony/commit/26a598fcfc4f903cc55ff202f642ee621839825e [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/html-sanitizer/CVE-2026-45753.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45753.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45753 [WEB]