8 matches found
@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
Impact The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting XSS. In doing so, literal -tags and on-event handlers were detected: typescript ... const svgEl = div.firstElementChild! const attributes = Array.fromsvgEl.attributes.map name = name const...
GHSA-H857-2G56-468G @mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
Impact The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting XSS. In doing so, literal -tags and on-event handlers were detected: typescript ... const svgEl = div.firstElementChild! const attributes = Array.fromsvgEl.attributes.map name = name const...
CVE-2023-22461
The sanitize-svg package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal -tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on sanitize-sv...
Cross site scripting
The sanitize-svg package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal -tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on sanitize-sv...
CVE-2023-22461
CVE-2023-22461 concerns the sanitizer package sanitize-svg . The issue arises from a deny-list approach that fails to block certain vectors, allowing embedded JavaScript via literal [removed] tags or on-* attributes in SVGs. The vulnerability affects versions prior to 0.4.0; a patch was released ...
CVE-2023-22461 sanitize-svg Filter Bypass Allows Cross-Site Scripting (XSS)
The sanitize-svg package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal -tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on sanitize-sv...
CVE-2023-22461 sanitize-svg Filter Bypass Allows Cross-Site Scripting (XSS)
The sanitize-svg package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal -tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on sanitize-sv...
sanitize-svg 安全漏洞
sanitize-svg is a small SVG sanitizer to prevent XSS attacks. A security vulnerability exists in versions of sanitize-svg prior to 0.4.0 that stems from its use of deny-list mode to sanitize svg to prevent cross-site scripting, but an attacker can cause downstream software that relies on it to...