Closed (fixed)
Project:
Svg Image
Version:
3.2.1
Component:
Code
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
20 Aug 2025 at 14:05 UTC
Updated:
4 Sep 2025 at 11:54 UTC
Jump to comment: Most recent
The composer.json for this module requires enshrined/svg-sanitize at version >=0.15. A security notice is posted for versions <0.22
Fix: Update the composer.json to the secure minimum value:
"require": {
"enshrined/svg-sanitize": ">=0.22 <1.0"
}
Update dependencies in composer.json
| Comment | File | Size | Author |
|---|---|---|---|
| svg_image-sec-issue-184085-1.patch | 500 bytes | fathershawn |
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
mably commentedHi @fathershawn, thanks for your patch.
Could you create a MR please?
Comment #3
damienmckennaFYI because the module's composer constraints allow individual site maintainers to upgrade their site to a secure version of the dependency (enshrined/svg-sanitize) it fits within the jurisdiction of PSA-2011-002 so no advisory is needed for this. That said, I've tagged this as a "security improvement" as it is important to encourage site owners to upgrade, and many won't until their modules require it.
Comment #5
fathershawnThere you go!
Comment #6
mably commentedMerged. Thanks!