GHSA-hhg7-c65m-h7ff

Source

https://github.com/advisories/GHSA-hhg7-c65m-h7ff

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hhg7-c65m-h7ff/GHSA-hhg7-c65m-h7ff.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hhg7-c65m-h7ff

Aliases

CVE-2026-45753

Published

2026-05-28T16:43:27Z

Modified

2026-05-28T17:00:10.163459162Z

Severity

1.2 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U CVSS Calculator

Summary

Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Details

Description

symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is decided by the element/attribute allow-list; validating the scheme of a URL attribute is solely UrlAttributeSanitizer's responsibility.

UrlAttributeSanitizer::getSupportedAttributes() returned only ['src', 'href', 'lowsrc', 'background', 'ping']. The HTML URL-valued attributes action (<form>), formaction (<button>, <input type=image>), poster (<video>) and cite (<blockquote>, <q>, <del>, <ins>) were missing from that list, so DomVisitor never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a javascript: URI in it survived sanitisation.

Conditions for exploitation

allowSafeElements() is not affected: <form> and the formaction attribute are both flagged unsafe in W3CReference, and allowElement('form') resets the element's attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:

<form> + action: allowElement('form', '*'), allowElement('form', ['action', …]), allowElement('form')->allowAttribute('action', 'form'), or the allowStaticElements() preset (whose docblock already warns the output "may still contain other dangerous behaviors");
<button> / <input type=image> + formaction: allowElement(…, '*'), allowAttribute('formaction', …), or allowStaticElements();
<blockquote> / <q> / <del> / <ins> + cite, or <video> + poster: similarly via '*', allowAttribute(), or allowStaticElements().

For the action / formaction cases the victim must additionally submit the form or click the button.

Resolution

UrlAttributeSanitizer now also handles action, formaction, cite and poster. action / formaction / cite are validated against the link schemes (like <a href>, so javascript: is rejected and data: is dropped too); poster is validated against the media schemes (so data: images keep working). The behaviour of <a href> and <img src> is unchanged.

One behaviour change to be aware of: a relative action="/submit" on an allowed <form> is now dropped by default (the same as <a href> / <img src> today); ->allowRelativeLinks() re-enables it.

The patch for this issue is available here for branch 6.4.

Credits

Symfony would like to thank Himanshu Anand and Rémi Pelloux for reporting the issue and Nicolas Grekas for providing the fix.

Database specific

{
    "cwe_ids": [
        "CWE-79",
        "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T16:43:27Z",
    "nvd_published_at": null,
    "severity": "LOW"
}

References

Affected packages

Packagist

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.4.40

Affected versions

v6.*

v6.1.0

v6.1.9

v6.1.11

v6.2.0-BETA1

v6.2.0-RC1

v6.2.0

v6.2.2

v6.2.5

v6.2.7

v6.3.0-BETA1

v6.3.0-RC1

v6.3.0

v6.3.4

v6.3.7

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA2

v6.4.0-RC1

v6.4.0

v6.4.3

v6.4.4

v6.4.7

v6.4.8

v6.4.12

v6.4.13

v6.4.17

v6.4.18

v6.4.21

v6.4.24

v6.4.25

v6.4.28

v6.4.35

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hhg7-c65m-h7ff/GHSA-hhg7-c65m-h7ff.json"

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.4.12

Affected versions

v7.*

v7.0.0

v7.0.3

v7.0.4

v7.0.7

v7.0.8

v7.1.0-BETA1

v7.1.0-RC1

v7.1.0

v7.1.1

v7.1.5

v7.1.6

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-RC1

v7.2.0

v7.2.2

v7.2.3

v7.2.6

v7.2.9

v7.3.0-BETA1

v7.3.0-RC1

v7.3.0

v7.3.2

v7.3.3

v7.3.6

v7.4.0-BETA1

v7.4.0-BETA2

v7.4.0-RC1

v7.4.0

v7.4.7

v7.4.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hhg7-c65m-h7ff/GHSA-hhg7-c65m-h7ff.json"

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.7

v8.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hhg7-c65m-h7ff/GHSA-hhg7-c65m-h7ff.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.4.40

Affected versions

v6.*

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.1.10

v6.1.11

v6.1.12

v6.2.0-BETA1

v6.2.0-BETA2

v6.2.0-BETA3

v6.2.0-RC1

v6.2.0-RC2

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.3.0-BETA1

v6.3.0-BETA2

v6.3.0-BETA3

v6.3.0-RC1

v6.3.0-RC2

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v6.3.10

v6.3.11

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA2

v6.4.0-BETA3

v6.4.0-RC1

v6.4.0-RC2

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.16

v6.4.17

v6.4.18

v6.4.19

v6.4.20

v6.4.21

v6.4.22

v6.4.23

v6.4.24

v6.4.25

v6.4.26

v6.4.27

v6.4.28

v6.4.29

v6.4.30

v6.4.31

v6.4.32

v6.4.33

v6.4.34

v6.4.35

v6.4.36

v6.4.37

v6.4.38

v6.4.39

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hhg7-c65m-h7ff/GHSA-hhg7-c65m-h7ff.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.4.12

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.0.10

v7.1.0-BETA1

v7.1.0-RC1

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.9

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-BETA2

v7.2.0-RC1

v7.2.0

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2.5

v7.2.6

v7.2.7

v7.2.8

v7.2.9

v7.3.0-BETA1

v7.3.0-BETA2

v7.3.0-RC1

v7.3.0

v7.3.1

v7.3.2

v7.3.3

v7.3.4

v7.3.5

v7.3.6

v7.3.7

v7.3.8

v7.3.9

v7.3.10

v7.3.11

v7.4.0-BETA1

v7.4.0-BETA2

v7.4.0-RC1

v7.4.0-RC2

v7.4.0-RC3

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.9

v7.4.10

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hhg7-c65m-h7ff/GHSA-hhg7-c65m-h7ff.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.0.10

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hhg7-c65m-h7ff/GHSA-hhg7-c65m-h7ff.json"