SVG sanitizer library before version 0.15.0
did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html
) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml
) were not affected.
This issue is fixed in 0.15.0
and higher.
There is currently no workaround available without upgrading.
If you have any questions or comments about this advisory: * Open an issue in Github * Email us at daryll@enshrined.co.uk
{ "nvd_published_at": "2022-02-14T21:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-02-14T22:54:18Z" }