[TASK] Upgrade enshrined/svg-sanitize to ^0.15.4
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see https://github.com/darylldoyle/svg-sanitizer/issues/71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628 Tested-by:core-ci <typo3@b13.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- composer.json 1 addition, 1 deletioncomposer.json
- composer.lock 8 additions, 9 deletionscomposer.lock
- typo3/sysext/core/Tests/Functional/Resource/Fixtures/CleanSVG/entity.svg 1 addition, 1 deletion...re/Tests/Functional/Resource/Fixtures/CleanSVG/entity.svg
- typo3/sysext/core/Tests/Functional/Resource/Fixtures/CleanSVG/entity_2.svg 1 addition, 1 deletion.../Tests/Functional/Resource/Fixtures/CleanSVG/entity_2.svg
- typo3/sysext/core/Tests/Functional/Resource/Fixtures/CleanSVG/svgOne.svg 0 additions, 1 deletion...re/Tests/Functional/Resource/Fixtures/CleanSVG/svgOne.svg
- typo3/sysext/core/Tests/Functional/Resource/Fixtures/CleanSVG/xlinkLoop.svg 0 additions, 3 deletions...Tests/Functional/Resource/Fixtures/CleanSVG/xlinkLoop.svg
- typo3/sysext/core/composer.json 1 addition, 1 deletiontypo3/sysext/core/composer.json
Please register or sign in to comment