Advisories for Composer/Enshrined/Svg-Sanitize package

Problem The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. xlink:href instead of xlink:HrEf), which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. Proof-of-concept provided by azizk <?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"> <a xlink:hReF="javascript:alert(document.domain)"> <rect width="100" height="50" fill="red"></rect> <text x="50" y="30" text-anchor="middle" fill="white">Click me</text> </a> </svg> Credits The mentioned findings and proof-of-concept example were …

savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in versions prior to 0.16.0 that allows an attacker to upload an SVG with persistent cross-site scripting. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. This issue is fixed in version 0.16.0. Any data within a CDATA node will now …

A Cross-site Scripting vulnerability was found in svg-sanitizer.

It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer.

darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript :alert substring.