Headline
CVE-2023-28426: Merge pull request from GHSA-xrqq-wqh4-5hg2 · darylldoyle/svg-sanitizer@cce18bc
savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in versions prior to 0.16.0 that allows an attacker to upload an SVG with persistent cross-site scripting. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn’t seeing them as DOM elements. This issue is fixed in version 0.16.0. Any data within a CDATA node will now be sanitised using HTMLPurifier. The maintainers have also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they’re not legal within the SVG context. There are no known workarounds.
@@ -323,4 +323,36 @@ public function cdataSectionIsSanitized()
self::assertXmlStringEqualsXmlString($expected, $cleanData); }
/** * @test */ public function cdataBackgroundSectionIsSanitized() { $dataDirectory = __DIR__ . '/data’; $initialData = file_get_contents($dataDirectory . ‘/cdataTwoTest.svg’); $expected = file_get_contents($dataDirectory . ‘/cdataTwoClean.svg’);
$sanitizer = new Sanitizer(); $sanitizer->minify(false); $cleanData = $sanitizer->sanitize($initialData);
self::assertXmlStringEqualsXmlString($expected, $cleanData); }
/** * @test */ public function formDataisSanitized() { $dataDirectory = __DIR__ . '/data’; $initialData = file_get_contents($dataDirectory . ‘/formDataTest.svg’); $expected = file_get_contents($dataDirectory . ‘/formDataClean.svg’);
$sanitizer = new Sanitizer(); $sanitizer->minify(false); $cleanData = $sanitizer->sanitize($initialData);
self::assertXmlStringEqualsXmlString($expected, $cleanData); } }
Related news
A bypass has been found that allows an attacker to upload an SVG with persistent XSS. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. Any data within a CDATA node will now be sanitised using [HTMLPurifier](https://github.com/ezyang/htmlpurifier). We've also removed many of the HTML and MathML elements from the allowed element list, as without `ForiegnObject`, they're not legal within the SVG context. Additional tests have been added to the test suite to account for these new bypasses. ### Impact This impacts all users of the `svg-sanitizer` library. ### Patches This issue is fixed in 0.16.0 and higher. ### Workarounds There is currently no workaround available without upgrading. ### For more information If you have any questions or comments about this advisory: Open an issue in [Github](https://github.com/darylldoyle/svg-sanitizer/issues) Email us at [daryll@ens...