Problem/Motivation

The composer.json for this module requires enshrined/svg-sanitize at version >=0.15. A security notice is posted for versions <0.22

Fix: Update the composer.json to the secure minimum value:

    "require": {
        "enshrined/svg-sanitize": ">=0.22 <1.0"
    }

Steps to reproduce

Proposed resolution

Update dependencies in composer.json

Remaining tasks

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
svg_image-sec-issue-184085-1.patch500 bytesfathershawn

Issue fork svg_image-3542254

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

fathershawn created an issue. See original summary.

mably’s picture

Category: Bug report » Task

Hi @fathershawn, thanks for your patch.

Could you create a MR please?

damienmckenna’s picture

Issue tags: +Security improvements

FYI because the module's composer constraints allow individual site maintainers to upgrade their site to a secure version of the dependency (enshrined/svg-sanitize) it fits within the jurisdiction of PSA-2011-002 so no advisory is needed for this. That said, I've tagged this as a "security improvement" as it is important to encourage site owners to upgrade, and many won't until their modules require it.

fathershawn’s picture

There you go!

mably’s picture

Status: Active » Fixed

Merged. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.