Task #100233: Upgrade enshrined/svg-sanitize to ^0.16 - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (1)

J. Peter M. Schuler

Actions

Copy link

Task #100233

closed

Upgrade enshrined/svg-sanitize to ^0.16

Added by J. Peter M. Schuler over 1 year ago. Updated over 1 year ago.

Status:

Rejected

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2023-03-20

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Sprint Focus:

Description

The current dependency of enshrined/svg-sanitize:^0.15.4 is marked insecure: https://github.com/advisories/GHSA-xrqq-wqh4-5hg2
As 0.15.4 is the last 0.15.x and SemVer dictates to treat ^0.15 as a major, the dependency needs to be raised to ^0.16.0 to allow installation of a secure version.

Related issues 3 (0 open — 3 closed)

Related to TYPO3 Core - Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15

Closed

2022-02-15

Actions

Related to TYPO3 Core - Bug #100234: Incorporate tests of enshrined/svg-sanitize:v0.16.0

Rejected

Oliver Hader

2023-03-21

Actions

Related to TYPO3 Core - Task #103722: Detected vulnerability with package 'enshrined/svg-sanitize'

Closed

2024-04-25

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by J. Peter M. Schuler over 1 year ago

TYPO3 Version changed from 11 to 12

Relevant for 10LTS, 11LTS and 12

Actions

Copy link

Updated by J. Peter M. Schuler over 1 year ago

Related to Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15 added

Actions

Copy link

Updated by J. Peter M. Schuler over 1 year ago

Quick hotfix to allow install:

composer req enshrined/svg-sanitize:"0.16.0 as 0.15.5" 
composer remove --dev roave/security-advisories

This would install 0.16.0, still roave needs removal as the alias 0.15.5 would be still flagged insecure, yet 0.15.5 would satisfy the core requirement.

The discussion in #96901 for the last security fix for svg-sanitize mentions that that introduced regressions. I didn't test compatibility with 0.16.0 yet.

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Status changed from New to Under Review

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Oliver Hader over 1 year ago

Related to Bug #100234: Incorporate tests of enshrined/svg-sanitize:v0.16.0 added

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions

Copy link

#10

Updated by Oliver Hader over 1 year ago

Status changed from Under Review to Rejected

Not required, the CVE for v0.16.0 was rejected as well (it wasn't a security vulnerability at all).

Actions

Copy link

#11

Updated by Lars Tode 7 months ago

Related to Task #103722: Detected vulnerability with package 'enshrined/svg-sanitize' added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (1)

Task #100233

Upgrade enshrined/svg-sanitize to ^0.16

Updated by J. Peter M. Schuler over 1 year ago

Updated by J. Peter M. Schuler over 1 year ago

Updated by J. Peter M. Schuler over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Oliver Hader over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Oliver Hader over 1 year ago

Updated by Lars Tode 7 months ago