Описание
Cross-Site Scripting in scratch-svg-renderer
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
Пакеты
Наименование
scratch-svg-renderer
npm
Затронутые версииВерсия исправления
<= 0.2.0-prerelease.20201016121710
0.2.0-prerelease.20201019174008
Связанные уязвимости
CVSS3: 9.6
nvd
больше 5 лет назад
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.