Bug #96990: Update enshrined/svg-sanitize to v0.15.0 - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #96990

closed

Update enshrined/svg-sanitize to v0.15.0

Added by Leo Viezens about 2 years ago. Updated about 2 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Oliver Hader

Category:

Security

Target version:

Start date:

2022-02-22

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

From Github (https://github.com/advisories/GHSA-fqx8-v33p-4qcc):

SVG sanitizer library before version 0.15.0 did not
- remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded
- in HTML (fetched as text/html) was susceptible to cross-site scripting.

TYPO3 9.5 currently uses enshrined/svg-sanitize:^0.14. This should get updated to enshrined/svg-sanitize:^0.15.

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Oliver Hader about 2 years ago

Is duplicate of Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15 added

Actions

Copy link

Updated by Oliver Hader about 2 years ago

Status changed from New to Closed

Actions

Copy link

Updated by Oliver Hader about 2 years ago

Please see
→ https://typo3.org/article/typo3-1157-and-10425-maintenance-releases-published
→ https://typo3.org/security/advisory/typo3-psa-2022-001

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #96990

Update enshrined/svg-sanitize to v0.15.0

Updated by Oliver Hader about 2 years ago

Updated by Oliver Hader about 2 years ago

Updated by Oliver Hader about 2 years ago