If you think that you have found a security issue in html-sanitizer, don't use the bug tracker and don't publish it publicly. Instead, all security issues must be sent to galopintitouan [at] gmail.com.
For each report, the core maintainers of html-sanitizer will first try to confirm the vulnerability. When it is confirmed, we will work on a solution following these steps:
- Send an acknowledgement to the reporter;
- Work on a patch in a dedicated private repository;
- Get a CVE identifier from mitre.org;
- Send the patch to the reporter for review;
- Apply the patch to all maintained versions of html-sanitizer;
- Package new versions for all affected versions;
- Update the public security advisories database maintained by the FriendsOfPHP organization.