Cross-Site Scripting in SVG Sanitizer
Moderate severity
GitHub Reviewed
Published
May 12, 2020
in
TYPO3GmbH/svg_sanitizer
•
Updated Jan 9, 2023
Description
Reviewed
May 13, 2020
Published to the GitHub Advisory Database
May 13, 2020
Last updated
Jan 9, 2023
Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting.
An updated version 1.0.3 is available from the TYPo3 extension manager and at https://extensions.typo3.org/extension/download/svg_sanitizer/1.0.3/zip/
Users of the extension are advised to update the extension as soon as possible.
References