Per https://github.com/php/php-src/pull/1940 htmltidy is affected by CVE-2015-5522 and CVE-2015-5523
CVE-2020-5522: Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href. CVE-2020-5523: The ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving multiple whitespace characters before an empty href, which triggers a large memory allocation.
seems like it was already fixed years before this bug was filed *** This bug has been marked as a duplicate of bug 561452 ***