I have been using the Cleaner since v1.16.1 to sanitize SVG by removing script.
After upgrading from v1.19.1 to v1.20.1, the behavior has changed and the text of the script is no longer removed.
A simplified example would be:
String dirtyString = "<svg><script>alert(\"test\")</script></svg>";
Document dirty = Parser.parse(dirtyString, "");
Safelist safelist = new Safelist().addTags("svg");
Cleaner cleaner = new Cleaner(safelist);
Document clean = cleaner.clean(dirty);
Document.OutputSettings outputSettings = new Document.OutputSettings().syntax(Document.OutputSettings.Syntax.xml);
String cleanString = clean.outputSettings(outputSettings).body().html();With all versions from v1.16.1 through v1.19.1, this results in <svg></svg> with all the script removed.
But with v1.20.1, it now results in <svg>alert("test")</svg>.
I have been using the Cleaner since v1.16.1 to sanitize SVG by removing script.
After upgrading from v1.19.1 to v1.20.1, the behavior has changed and the text of the script is no longer removed.
A simplified example would be:
With all versions from v1.16.1 through v1.19.1, this results in
<svg></svg>with all the script removed.But with v1.20.1, it now results in
<svg>alert("test")</svg>.