When `ALLOW_INSECURE_RAW_TEXT` is enabled, whitespace-variant closing tags (e.g., `</style\\t>`) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of `typo3/html-sanitizer` before version 2.3.2.

Credits to IPC Labs for reporting this vulnerability.