php · symfony/html-sanitizerHeads-up
symfony/html-sanitizer UrlSanitizer::parse() denies BiDi marks and Unicode whitespace
UrlSanitizer::parse() now denies BiDi formatting marks, Unicode whitespace, and zero-width no-break space in both raw input and percent-decoded form of each par
What changed
UrlSanitizer::parse() now denies BiDi formatting marks, Unicode whitespace, and zero-width no-break space in both raw input and percent-decoded form of each parsed URL component.
Who it affects
Users of symfony/html-sanitizer who rely on URL sanitization to prevent visual spoofing and allow-list bypass.
What to do today
Update to the patched version (6.4.x, 7.4.x, 8.0.x, 8.1.x) as soon as possible.
The trail
Collected→
Audited→
Written→
Published