SVG sanitizer library before version 0.15.0
did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html
) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml
) were not affected.
This issue is fixed in 0.15.0
and higher.
There is currently no workaround available without upgrading.
If you have any questions or comments about this advisory: * Open an issue in Github * Email us at daryll@enshrined.co.uk