Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Current version is up to 0.10.0.
Changes since 0.7.2 include:
- Allow use tags through as long as they dont reference external resources.
- Allow image tags
- Allow safe image data uri’s through
- Allow setting xml options and another bugfix
- Restructure arrays and add slope to attribute list
- Always use lower case tags
I haven't been able to assess whether or not any are breaking changes.
Comment | File | Size | Author |
---|---|---|---|
#15 | 3064351.patch | 5.84 KB | larowlan |
|
Comments
Comment #2
larowlanits a minor update, so it should be fine, we should just relax the constraint to support minors
Comment #3
larowlanWe currently use ^0.7.1 but according to the composer docs that is interpreted as >0.7.1 and < 1.0.0
the salient part in their example docs:
So there's nothing to do here.
Comment #4
matt_paz CreditAttribution: matt_paz commented@larowlan
Hmmm. I may be mistaken, but perhaps that isn't quite right?
Note the except if major version is 0 exception?
Am I reading that right?
Comment #5
larowlanProbably would help if I read the whole section in the docs 😂
100% happy to do a new release with a more flexible version constraint - what would you suggest?
Comment #6
matt_paz CreditAttribution: matt_paz commentedHeh, well, I initially thought that too, but I couldn't figure out why it wasn't updating, so I just kept digging.
Hmm. Hard to say. If ya want to provide lots of flexibility (given the composer limitations), I'd guess ya might go with
~0.10
until a 1.X release is provided (or until breaking changes are encountered in 0.X -- at which ya could lock it to a particular version in the interim). I'd though about0 - 1
, but the 1.X release would probably be a significant enough milestone to warrant some deeper review.So I'd guess either,
~0.10
or just stick with^0.10
and continue to monitor as changes are made.Also, FWIW, I haven't actually tested with 0.10 yet.
Thoughts?
Comment #7
larowlanHappy to go with
~0.10
but yeah, lets get some testing done firstComment #10
larowlanThere is a security fix in the upstream library - https://github.com/darylldoyle/svg-sanitizer/commit/51ca4b713f3706d6b277...
Its not yet in a tagged release, but we should relax our constraint so that when it is available, it can be installed.
Adding those who reported this privately first and worked on it there
Comment #11
larowlanWe're waiting for upstream to cut a new tag here
Comment #12
tsug0d CreditAttribution: tsug0d commentedHi, note that not only the xss fix but also the Denial of Service (The new billion laughs attack introduced by us), we can see the begin "bug-fix" commit is a60a9b3 in https://github.com/darylldoyle/svg-sanitizer/commits/master from ohader, we recommend update full the repository code.
Comment #13
larowlanThanks, once a new release is made available from upstream, I'll update the composer.json here to be ^{that version}
Comment #14
larowlanUpstream tag is available
Comment #15
larowlanComment #16
larowlanComment #18
larowlanRolling a new release