GHSA-95m2-chm4-mq7m: 
PHP vulnerability analysis and mitigation

A persistent XSS vulnerability was discovered in PHP-Textile versions 4.1.2 and older, specifically affecting the image link handling functionality when running the parser in restricted mode. The vulnerability was disclosed on January 7, 2025, and affects the composer package netcarver/textile. The issue was assigned the identifier GHSA-95m2-chm4-mq7m and received a high severity rating (GitHub Advisory).

The vulnerability stems from improper validation of user-controllable href input in image links when the parser operates in restricted mode. While the library was designed to sanitize user input in restricted mode, version 4.1.2 and earlier failed to properly validate image link protocols, allowing any link protocol including malicious JavaScript links. The vulnerability received a CVSS v3.1 score of 7.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability allows attackers to inject malicious JavaScript code into pages, which executes when users interact with the affected links. This can lead to attackers performing operations with user's privileges or gaining remote control of user's browsers through automated tools (GitHub Advisory).

The vulnerability has been fixed in PHP-Textile version 4.1.3, which implements proper protocol restrictions for image links in restricted mode. Users should upgrade to version 4.1.3 or later. The fix ensures that image links undergo the same validation as text links when the parser is in restricted mode. Restricted mode can be enabled using the Parser::setRestricted() method before calling the parse method (GitHub Commit).