Actions
Bug #96990
closedUpdate enshrined/svg-sanitize to v0.15.0
Start date:
2022-02-22
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
From Github (https://github.com/advisories/GHSA-fqx8-v33p-4qcc):
SVG sanitizer library before version 0.15.0 did not
- remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded
- in HTML (fetched as text/html) was susceptible to cross-site scripting.
TYPO3 9.5 currently uses enshrined/svg-sanitize:^0.14. This should get updated to enshrined/svg-sanitize:^0.15.
Actions