diff --git a/composer.json b/composer.json
index 68638c8f7c209c0a696feb52f23a01b396958833..3def64c241daeaae4d73a83831313e9807ce47d0 100644
--- a/composer.json
+++ b/composer.json
@@ -97,7 +97,7 @@
 		"typo3/class-alias-loader": "^1.1.4",
 		"typo3/cms-cli": "^3.1",
 		"typo3/cms-composer-installers": "^2.0 || ^3.0 || ^4.0",
-		"typo3/html-sanitizer": "^2.1.3",
+		"typo3/html-sanitizer": "^2.1.4",
 		"typo3/phar-stream-wrapper": "^3.1.7",
 		"typo3/symfony-psr-event-dispatcher-adapter": "^1.0 || ^2.0",
 		"typo3fluid/fluid": "^2.7.2"
diff --git a/composer.lock b/composer.lock
index 571de3e1ed04bb262134654f8d7e3d7fba1df4fb..1ab82ee31e499ddf9ebf6965e2c117be08f68dbf 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "dd3af25ec4a97765f03c9bf04eee6af8",
+    "content-hash": "2670bff3895b668f59189949cba04ec8",
     "packages": [
         {
             "name": "bacon/bacon-qr-code",
@@ -5006,16 +5006,16 @@
         },
         {
             "name": "typo3/html-sanitizer",
-            "version": "v2.1.3",
+            "version": "v2.1.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/TYPO3/html-sanitizer.git",
-                "reference": "a35f220b2336e3f040f91d3de23d19964833643f"
+                "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/a35f220b2336e3f040f91d3de23d19964833643f",
-                "reference": "a35f220b2336e3f040f91d3de23d19964833643f",
+                "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
+                "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
                 "shasum": ""
             },
             "require": {
@@ -5051,9 +5051,9 @@
             "description": "HTML sanitizer aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.",
             "support": {
                 "issues": "https://github.com/TYPO3/html-sanitizer/issues",
-                "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.3"
+                "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.4"
             },
-            "time": "2023-07-25T08:47:32+00:00"
+            "time": "2023-11-14T07:41:08+00:00"
         },
         {
             "name": "typo3/phar-stream-wrapper",
@@ -9257,5 +9257,5 @@
     "platform-overrides": {
         "php": "7.4.1"
     },
-    "plugin-api-version": "2.3.0"
+    "plugin-api-version": "2.6.0"
 }
diff --git a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
index 871646bbc28c7ba7e14b8b7c2fe315a88a761b93..cbd564c3d29d80c47d659eb9ecf4e0b3e4514f9e 100644
--- a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
+++ b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
@@ -226,6 +226,13 @@ class SecurityTest extends FunctionalTestCase
                     '<p><a href="t3://page?uid=1" target="_blank" rel="noreferrer" role="button" onmouseover="alert(1)">text</a></p>',
                 ],
             ],
+            [
+                '<?xml >s<img src=x onerror=alert(1)> ?>',
+                [
+                    '&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
+                    '<?xml >s<img src=x onerror=alert(1)> ?>',
+                ],
+            ],
         ];
     }
 
diff --git a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
index 6e4d74335d11aadff1a3a66945f337abc1b9b5b8..004e5040e6b58248dee0da53a7bf64e110b453d1 100644
--- a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
+++ b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
@@ -162,6 +162,18 @@ class DefaultSanitizerBuilderTest extends FunctionalTestCase
                 '<span style="color: orange">value</span>',
                 '<span style="color: orange">value</span>',
             ],
+            '#912' => [
+                '<!---><p>',
+                '<!---&gt;&lt;p&gt;-->',
+            ],
+            '#913' => [
+                '<!---!><p>',
+                '<!---!&gt;&lt;p&gt;-->',
+            ],
+            '#941' => [
+                '<?xml >s<img src=x onerror=alert(1)> ?>',
+                '&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
+            ],
         ];
     }
 
@@ -221,6 +233,7 @@ class DefaultSanitizerBuilderTest extends FunctionalTestCase
         $sanitizer->sanitize('<script>alert(1)</script>', new SanitizerInitiator($trace));
         $logItemDataExpectation = [
             'behavior' => 'default',
+            'nodeType' => 1,
             'nodeName' => 'script',
             'initiator' => $trace,
         ];
diff --git a/typo3/sysext/core/composer.json b/typo3/sysext/core/composer.json
index 4960d08d5d50b1a4ca0151342ef77a0212e228ef..d2ddca44788f3776cd7ab04580e4139b6b80f388 100644
--- a/typo3/sysext/core/composer.json
+++ b/typo3/sysext/core/composer.json
@@ -73,7 +73,7 @@
 		"typo3/class-alias-loader": "^1.1.4",
 		"typo3/cms-cli": "^3.1",
 		"typo3/cms-composer-installers": "^2.0 || ^3.0 || ^4.0",
-		"typo3/html-sanitizer": "^2.1.3",
+		"typo3/html-sanitizer": "^2.1.4",
 		"typo3/phar-stream-wrapper": "^3.1.7",
 		"typo3/symfony-psr-event-dispatcher-adapter": "^1.0 || ^2.0",
 		"typo3fluid/fluid": "^2.7.2"
diff --git a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
index e9aa43f1027d8576f5d93876807c5ecc19d16c6f..efad1cae20acb6205661a31cdcb6bccd4dc6464a 100644
--- a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
+++ b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
@@ -98,6 +98,7 @@ class HtmlViewHelperTest extends FunctionalTestCase
 
         $logItemDataExpectation = [
             'behavior' => 'default',
+            'nodeType' => 1,
             'nodeName' => 'script',
             'initiator' => HtmlViewHelper::class,
         ];
diff --git a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
index 7a34ac7b8980de3e76a548ae44b11fe5de71f959..97e7d2656a5976e1037c8abb0d89cf6c1f8e6f33 100644
--- a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
+++ b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
@@ -119,6 +119,14 @@ class SecureHtmlRenderingTest extends FunctionalTestCase
                 '07: <a href="t3://page?uid=1000" target="_blank" rel="noreferrer" class="button" role="button" onmouseover="alert(1)">TYPO3</a>',
                 '<p>07: <a href="/" target="_blank" rel="noreferrer" class="button" role="button">TYPO3</a></p>',
             ],
+            '#08' => [
+                '08: <?xml >s<img src=x onerror=alert(1)> ?>',
+                // Note: The TYPO3 HTML Parser encodes processing instructions, it's therefore
+                // expected and "OK" that the img tag is not encoded but sanitized.
+                // If the HTML Parser would not run, the expected result would be:
+                // '<p>08: &lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;</p>',
+                '<p>08: &lt;?xml &gt;s<img src="x"> ?&gt;</p>',
+            ],
         ];
     }