Description
The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character.
Remediation
References
Related Vulnerabilities
WordPress Plugin Frontend File Manager Multiple Vulnerabilities (18.2)
Joomla! Core 1.5.x Cross-Site Scripting (1.5.0 - 1.5.7)
Liferay Portal Incorrect Authorization Vulnerability (CVE-2025-43784)
Claroline Other Vulnerability (CVE-2006-1594)
WordPress Plugin WPBakery Page Builder Clipboard Cross-Site Scripting (4.5.5)