Skip to content

Bump svg sanitization library #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dkotter merged 1 commit into from
Aug 12, 2025
Merged

Bump svg sanitization library #272

dkotter merged 1 commit into from
Aug 12, 2025

Conversation

@darylldoyle
Copy link
Collaborator

@darylldoyle darylldoyle commented Aug 12, 2025
edited
Loading

Description of the Change

Updated the enshrined/svg-sanitize package from version ^0.21.0 to ^0.22.0 in composer.json to use the latest release.

This updated resolves an issue where attribute name case inconsistencies (e.g., xlink:Href instead of xlink:href) in XML processing could cause namespace lookups and sanitisation to fail. Attribute names in both namespaced and non-namespaced contexts are now normalised to their expected lowercase form before processing. This ensures consistent sanitisation of xlink:href and other targeted attributes regardless of their original case.

Changelog Entry

  • Security - Updated the sanitisation library to fix an issue with case-insensitive attributes slipping through the sanitiser.

Credits

@darylldoyle

Checklist:

@darylldoyle darylldoyle self-assigned this Aug 12, 2025
@darylldoyle darylldoyle added the dependencies Pull requests that update a dependency file label Aug 12, 2025
@github-actions github-actions bot added the needs:feedback This requires feedback to determine next steps. label Aug 12, 2025
@github-actions
Copy link

github-actions bot commented Aug 12, 2025

@darylldoyle thanks for the PR! Could you please fill out the PR template with description, changelog, and credits information so that we can properly review and merge this?

@darylldoyle darylldoyle force-pushed the update/svg-lib-0.22.0 branch from 70fdb91 to 4972491 Compare August 12, 2025 10:36
@github-actions github-actions bot added needs:code-review This requires code review. and removed needs:feedback This requires feedback to determine next steps. labels Aug 12, 2025
@jeffpaul jeffpaul added this to the 2.4.0 milestone Aug 12, 2025
@jeffpaul jeffpaul moved this to Code Review in Open Source Practice Aug 12, 2025
@dkotter dkotter modified the milestones: 2.4.0, 2.3.3 Aug 12, 2025
dkotter
dkotter approved these changes Aug 12, 2025
View reviewed changes
Copy link
Collaborator

@dkotter dkotter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with an svg that had an anchor tag with the attribute xlink:hReF. Before this PR, that attribute was not being sanitized. After pulling this PR and running composer install, the attribute does get sanitized properly

@github-project-automation github-project-automation bot moved this from Code Review to QA Testing in Open Source Practice Aug 12, 2025
@dkotter dkotter merged commit 5135e08 into develop Aug 12, 2025
15 of 16 checks passed
@dkotter dkotter deleted the update/svg-lib-0.22.0 branch August 12, 2025 18:08
@github-project-automation github-project-automation bot moved this from QA Testing to Done in Open Source Practice Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkotter dkotter dkotter approved these changes

@jeffpaul jeffpaul Awaiting requested review from jeffpaul jeffpaul is a code owner

Assignees

@darylldoyle darylldoyle

Labels

dependencies Pull requests that update a dependency file needs:code-review This requires code review.

Projects

Open Source Practice
Archived in project

Milestone

2.3.3

Development

Successfully merging this pull request may close these issues.

3 participants

@darylldoyle @dkotter @jeffpaul