Описание
svg-sanitizer has Cross-site Scripting Bypass
Update
In #88 we have determined that the bypass this security advisory was created for, was a false positive and as such we have requested that the CVE be rejected.
A bypass has been found that allows an attacker to upload an SVG with persistent XSS.
HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements.
Any data within a CDATA node will now be sanitised using HTMLPurifier. We've also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they're not legal within the SVG context.
Additional tests have been added to the test suite to account for these new bypasses.
Impact
This impacts all users of the svg-sanitizer library.
Patches
This issue is fixed in 0.16.0 and higher.
Workarounds
There is currently no workaround available without upgrading.
For more information
If you have any questions or comments about this advisory:
Open an issue in Github Email us at daryll@enshrined.co.uk
Пакеты
enshrined/svg-sanitize
< 0.16.0
0.16.0
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.