Task #100233: Upgrade enshrined/svg-sanitize to ^0.16 - TYPO3 Core - TYPO3 Forge

Custom queries

12 LTS
Accessibility
Dashboard issues
Easy tasks
Extbase Issues
FAL Issues
FAL Sprint 2023
Hierarchical Issues
Issues reported for v11
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
Most wanted Bugfixes
Most wanted Features
My open issues
New & Unassigned
No feedback within 90 days
Open Bugs
Open issues of 10
Page Tree Regressions after 2020-07-28
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (1)

J. Peter M. Schuler

Actions

Copy link

Task #100233

closed

Upgrade enshrined/svg-sanitize to ^0.16

Added by J. Peter M. Schuler about 1 year ago. Updated about 1 year ago.

Status:

Rejected

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2023-03-20

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Sprint Focus:

Description

The current dependency of enshrined/svg-sanitize:^0.15.4 is marked insecure: https://github.com/advisories/GHSA-xrqq-wqh4-5hg2
As 0.15.4 is the last 0.15.x and SemVer dictates to treat ^0.15 as a major, the dependency needs to be raised to ^0.16.0 to allow installation of a secure version.

Related issues 3 (0 open — 3 closed)

Related to TYPO3 Core - Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15

Closed

2022-02-15

Actions

Related to TYPO3 Core - Bug #100234: Incorporate tests of enshrined/svg-sanitize:v0.16.0

Rejected

Oliver Hader

2023-03-21

Actions

Related to TYPO3 Core - Task #103722: Detected vulnerability with package 'enshrined/svg-sanitize'

Resolved

2024-04-25

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by J. Peter M. Schuler about 1 year ago

TYPO3 Version changed from 11 to 12

Relevant for 10LTS, 11LTS and 12

Actions

Copy link

Updated by J. Peter M. Schuler about 1 year ago

Related to Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15 added

Actions

Copy link

Updated by J. Peter M. Schuler about 1 year ago

Quick hotfix to allow install:

composer req enshrined/svg-sanitize:"0.16.0 as 0.15.5" 
composer remove --dev roave/security-advisories

This would install 0.16.0, still roave needs removal as the alias 0.15.5 would be still flagged insecure, yet 0.15.5 would satisfy the core requirement.

The discussion in #96901 for the last security fix for svg-sanitize mentions that that introduced regressions. I didn't test compatibility with 0.16.0 yet.

Actions

Copy link

Updated by Gerrit Code Review about 1 year ago

Status changed from New to Under Review

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Gerrit Code Review about 1 year ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Gerrit Code Review about 1 year ago

Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Oliver Hader about 1 year ago

Related to Bug #100234: Incorporate tests of enshrined/svg-sanitize:v0.16.0 added

Actions

Copy link

Updated by Gerrit Code Review about 1 year ago

Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Gerrit Code Review about 1 year ago

Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

#10

Updated by Oliver Hader about 1 year ago

Status changed from Under Review to Rejected

Not required, the CVE for v0.16.0 was rejected as well (it wasn't a security vulnerability at all).

Actions

Copy link

#11

Updated by Lars Tode 25 days ago

Related to Task #103722: Detected vulnerability with package 'enshrined/svg-sanitize' added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (1)

Task #100233

Upgrade enshrined/svg-sanitize to ^0.16

Updated by J. Peter M. Schuler about 1 year ago

Updated by J. Peter M. Schuler about 1 year ago

Updated by J. Peter M. Schuler about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Oliver Hader about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Oliver Hader about 1 year ago

Updated by Lars Tode 25 days ago