-
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see https://github.com/darylldoyle/svg-sanitizer/issues/71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
d6e3d9ca
Analyzing file…