Install
Works with Drupal: ^10.3 || ^11
Using Composer to manage Drupal site dependencies
Download tar.gz
424.62 KB
MD5: 54bf175415b72f43b9d61980e77a75ad
SHA-1: b6c762a9c496abcdcbe4d2f905f3d146a9473891
SHA-256: 4571d22b874d8bd01b2f2956b0e60243472a1e68d2ca6bf6aed3d048af4300ca
Download zip
872.2 KB
MD5: e4d974f5f5dbdd1764780c6d1e57a10f
SHA-1: 2a286e419faa9dfd05cc7b11eb52f9535cf66c47
SHA-256: be698dabd675ce035e2863c4d7266cc3e77eb6d8feb29eaf62b882e22b567839
Release notes
SVG Sanitization & Re-enabled SVG Support
This release re-enables SVG image support in the mcp_tools_remote_media submodule, now backed by robust XSS sanitization using the enshrined/svg-sanitize
library (GPL-2.0, 41M+ installs).
What changed:
- SVG support restored — image/svg+xml is once again an allowed MIME type for fetch_remote_image. In beta6, SVG was disabled due to XSS/XXE risks; it is now
safe to use.
- Automatic SVG sanitization — All fetched SVG files are sanitized before saving. The sanitizer strips:
-
tags and inline JavaScript
- Event handler attributes (onload, onclick, etc.)
- elements (HTML injection vector)
- Remote references (xlink:href to external resources)
- Extensible sanitization hook — A new sanitizeContent() method in AbstractRemoteFileService provides a clean override point. The base implementation is a
pass-through; RemoteImageService overrides it for SVG. Future media subclasses (audio, video, documents) can leverage this same pattern.
- 5 new unit tests covering script stripping, event handler removal, foreignObject removal, invalid XML rejection, and non-SVG passthrough.
New dependency: enshrined/svg-sanitize: ^0.22
Upgrade notes: No breaking changes. Sites upgrading from beta6 gain SVG support automatically. Run composer update to pull in the new dependency.
Credits: SVG sanitization builds on the mcp_tools_remote_media submodule contributed by guillaumeg in beta6 (MR #3577187).
