Contrib.social

Missing SVG/HTML sanitization in SvgResponsiveImageFormatter

Open on Drupal.org →
Created on 15 June 2023, over 1 year ago
Updated 10 April 2024, 8 months ago

Problem/Motivation

Steps to reproduce

  1. Enable the svg_image_responsive module
  2. Create a responsive image style
  3. Create a image field on a entity
  4. Set the image field formatter to 'Responsive Image', and uncheck the 'svg_render_as_image' option.
  5. As a user with edit permission on this entity or field, upload any HTML payload with an '.svg' extension as the image. Example content: <script>alert(1)</script>
  6. The file is included in the HTML output for the entity without any sanitization.

Proposed resolution

Use the SvgSanitizer also in the responsive image formatter.

🐛 Bug report
Status

Closed: cannot reproduce

Version

3.0

Component

Code

Created by

coffeemakr

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024