cR0w@cR0w@infosec.exchange
It's 2025 right? I haven't gone back in time? Okay, just checking.
https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh
The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. xlink:href instead of xlink:HrEf), which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains.Actually, I shouldn't mock this. It appears to be a small project making an effort at protecting from such a stupid attack vector that doesn't need to exist. And they're up front about their own vulnerabilities. That's better than many projects out there so good for them. 🍻
