It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the “xlink:href” attribute due to mishandling of the xlink namespace by the sanitizer.
[
{
"product": "enshrined/svg-sanitize",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 0.13.1"
}
]
}
]