diff --git a/composer.json b/composer.json
index c1ed28c719920175b8ce9cde522f951011b27d1f..6ccc1266025b39d3bd9432ae1283f74522241286 100644
--- a/composer.json
+++ b/composer.json
@@ -96,7 +96,7 @@
 		"typo3/class-alias-loader": "^1.1.4",
 		"typo3/cms-cli": "^3.1",
 		"typo3/cms-composer-installers": "^5.0",
-		"typo3/html-sanitizer": "^2.1.3",
+		"typo3/html-sanitizer": "^2.1.4",
 		"typo3fluid/fluid": "^2.9.2"
 	},
 	"require-dev": {
diff --git a/composer.lock b/composer.lock
index 24cda42fb01456ef2ce18c5741008e7d416a63de..33cb943bc946a0053d6071c9e28287571d2550b1 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "3804c033560c628a027dfc79915afdb4",
+    "content-hash": "2220edce56b7861d31cf5b5c4b223a7f",
     "packages": [
         {
             "name": "bacon/bacon-qr-code",
@@ -4773,16 +4773,16 @@
         },
         {
             "name": "typo3/html-sanitizer",
-            "version": "v2.1.3",
+            "version": "v2.1.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/TYPO3/html-sanitizer.git",
-                "reference": "a35f220b2336e3f040f91d3de23d19964833643f"
+                "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/a35f220b2336e3f040f91d3de23d19964833643f",
-                "reference": "a35f220b2336e3f040f91d3de23d19964833643f",
+                "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
+                "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
                 "shasum": ""
             },
             "require": {
@@ -4818,9 +4818,9 @@
             "description": "HTML sanitizer aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.",
             "support": {
                 "issues": "https://github.com/TYPO3/html-sanitizer/issues",
-                "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.3"
+                "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.4"
             },
-            "time": "2023-07-25T08:47:32+00:00"
+            "time": "2023-11-14T07:41:08+00:00"
         },
         {
             "name": "typo3fluid/fluid",
diff --git a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
index 39965bdc7938931fd4beb0914edae440d48b64c2..b4f5c8c3cbf96dc473d9b9d3ab9800343fce7647 100644
--- a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
+++ b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
@@ -227,6 +227,13 @@ final class SecurityTest extends FunctionalTestCase
                     '<p><a href="t3://page?uid=1" target="_blank" rel="noreferrer" role="button" onmouseover="alert(1)">text</a></p>',
                 ],
             ],
+            [
+                '<?xml >s<img src=x onerror=alert(1)> ?>',
+                [
+                    '&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
+                    '<?xml >s<img src=x onerror=alert(1)> ?>',
+                ],
+            ],
         ];
     }
 
diff --git a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
index 612c25f18aadb92791f64c880ea0c00c091940e4..9800249a85eea5c420c2c9f1d0c2d44298018d98 100644
--- a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
+++ b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
@@ -145,6 +145,18 @@ final class DefaultSanitizerBuilderTest extends FunctionalTestCase
                 '<span style="color: orange">value</span>',
                 '<span style="color: orange">value</span>',
             ],
+            '#912' => [
+                '<!---><p>',
+                '<!---&gt;&lt;p&gt;-->',
+            ],
+            '#913' => [
+                '<!---!><p>',
+                '<!---!&gt;&lt;p&gt;-->',
+            ],
+            '#941' => [
+                '<?xml >s<img src=x onerror=alert(1)> ?>',
+                '&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
+            ],
         ];
     }
 
@@ -202,6 +214,7 @@ final class DefaultSanitizerBuilderTest extends FunctionalTestCase
         $sanitizer->sanitize('<script>alert(1)</script>', new SanitizerInitiator($trace));
         $logItemDataExpectation = [
             'behavior' => 'default',
+            'nodeType' => 1,
             'nodeName' => 'script',
             'initiator' => $trace,
         ];
diff --git a/typo3/sysext/core/composer.json b/typo3/sysext/core/composer.json
index 6833553b070de4e8dc08ff0193ee271fe6b1c831..adbf204e5efccc30fa7d6ebdce55010c03e88986 100644
--- a/typo3/sysext/core/composer.json
+++ b/typo3/sysext/core/composer.json
@@ -72,7 +72,7 @@
 		"typo3/class-alias-loader": "^1.1.4",
 		"typo3/cms-cli": "^3.1",
 		"typo3/cms-composer-installers": "^5.0",
-		"typo3/html-sanitizer": "^2.1.3",
+		"typo3/html-sanitizer": "^2.1.4",
 		"typo3fluid/fluid": "^2.9.2"
 	},
 	"suggest": {
diff --git a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
index 7b7c4ecb63a650831501c1b2c757cd080928f4aa..d30a4597c10435a047c17a9ce979556a36bb299d 100644
--- a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
+++ b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
@@ -94,6 +94,7 @@ final class HtmlViewHelperTest extends FunctionalTestCase
 
         $logItemDataExpectation = [
             'behavior' => 'default',
+            'nodeType' => 1,
             'nodeName' => 'script',
             'initiator' => HtmlViewHelper::class,
         ];
diff --git a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
index 1d0444ec2b486296134e0122f4601a312d3ce296..46b24afb2d263a9d14c55cf1f190b231a2552298 100644
--- a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
+++ b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
@@ -109,6 +109,14 @@ final class SecureHtmlRenderingTest extends FunctionalTestCase
                 '07: <a href="t3://page?uid=1000" target="_blank" rel="noreferrer" class="button" role="button" onmouseover="alert(1)">TYPO3</a>',
                 '<p>07: <a href="/" target="_blank" rel="noreferrer" class="button" role="button">TYPO3</a></p>',
             ],
+            '#08' => [
+                '08: <?xml >s<img src=x onerror=alert(1)> ?>',
+                // Note: The TYPO3 HTML Parser encodes processing instructions, it's therefore
+                // expected and "OK" that the img tag is not encoded but sanitized.
+                // If the HTML Parser would not run, the expected result would be:
+                // '<p>08: &lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;</p>',
+                '<p>08: &lt;?xml &gt;s<img src="x"> ?&gt;</p>',
+            ],
         ];
     }