In #88 we have determined that the bypass this security advisory was created for, was a false positive and as such we have requested that the CVE be rejected.
A bypass has been found that allows an attacker to upload an SVG with persistent XSS.
HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn’t seeing them as DOM elements.
Any data within a CDATA node will now be sanitised using HTMLPurifier. We’ve also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject
, they’re not legal within the SVG context.
Additional tests have been added to the test suite to account for these new bypasses.
This impacts all users of the svg-sanitizer
library.
This issue is fixed in 0.16.0 and higher.
There is currently no workaround available without upgrading.
If you have any questions or comments about this advisory:
Open an issue in Github
Email us at [email protected]
CPE | Name | Operator | Version |
---|---|---|---|
enshrined/svg-sanitize | lt | 0.16.0 |