It seems tag 0.15.0 addressed a security vulnerability, see corresponding advisory GHSA-fqx8-v33p-4qcc (CVE-2022-23638)
Corresponding commit at 17e12ba contains a new test case tests/data/htmlTest.svg.
Invoked as svg.svg in browser, mime-type image/svg+xml
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="-1 -1 2 2">
<!--><img src onerror=alert(1)><!-->
<?x ><img src onerror=alert(1)><?x?>
<p/><![CDATA[ ><img src onerror=alert(1)> ]]>
<font face=""/><![CDATA[ ><img src onerror=alert(1)> ]]>
</svg> → no problem since <img> is not a SVG element
-> not a vulnerability
Invoked as svg.html in browser, mime-type text/htm
<html>
<body>
<div>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="-1 -1 2 2">
<!--><img src onerror=alert(1)><!-->
<?x ><img src onerror=alert(1)><?x?>
<p/><![CDATA[ ><img src onerror=alert(1)> ]]>
<font face=""/><![CDATA[ ><img src onerror=alert(1)> ]]>
</svg>
</div>
</body>
</html>→ valid concern, since HTML is used in inline SVG
→ scripts are executed in browser
→ cross-site scripting vulnerability
Conclusion & Post-review
Request
- @darylldoyle please report back, whether these assumptions are correct (it affects only SVG used inline in some HTML-context)
- consider updating advisory details of GHSA-fqx8-v33p-4qcc - I can support with that task
It seems tag
0.15.0addressed a security vulnerability, see corresponding advisory GHSA-fqx8-v33p-4qcc (CVE-2022-23638)Corresponding commit at 17e12ba contains a new test case
tests/data/htmlTest.svg.Invoked as
svg.svgin browser, mime-typeimage/svg+xml→ no problem since
<img>is not a SVG element-> not a vulnerability
Invoked as
svg.htmlin browser, mime-typetext/htm→ valid concern, since HTML is used in inline SVG
→ scripts are executed in browser
→ cross-site scripting vulnerability
Conclusion & Post-review
<img>) seems to be fine, see https://developer.mozilla.org/en-US/docs/Web/SVG/Element#cdataand#commentnodes seems to be superfluous and leads to regressions like in CDATA section is removed #70Request