Closed
Description
Symfony version(s) affected
7.0, perhaps lower too
Description
You're checking the node name in the node traversal, but not the node type.
So creating a processing instruction with the name of an allowed element results in a misinterpretation: the processing instruction will be considered as if it is an element. Fortunately, this has no security impact because we can only misinterpret nodes into an allowed element.
How to reproduce
<?php
require 'vendor/autoload.php';
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
$config = (new HtmlSanitizerConfig())->allowElement("div");
$sanitizer = new HtmlSanitizer($config);
echo $sanitizer->sanitize("<?div x?>"), "\n";Results in:
<div></div>
Possible Solution
Don't allow processing instructions, those aren't allowed by HTML5 anyway.
Additional Context
No response