netcarver/textile security: XSS vulnerability

Open on Drupal.org →

Created on 8 January 2025, 10 months ago

Problem/Motivation

High security vulnerability.

Steps to reproduce

❯ composer audit

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | netcarver/textile                                                                |
| Severity          | high                                                                             |
| CVE               | NO CVE                                                                           |
| Title             | PHP-Textile has persistent XSS vulnerability in image link handling              |
| URL               | https://github.com/advisories/GHSA-95m2-chm4-mq7m                                |
| Affected versions | <=4.1.2                                                                          |
| Reported at       | 2025-01-07T17:11:02+00:00                                                        |
| Advisory ID       | PKSA-q7hq-sbtp-vntg                                                              |
+-------------------+----------------------------------------------------------------------------------+

❯ composer why netcarver/textile

drupal/paragraphs_paste 2.0.0-beta6 requires netcarver/textile (^3.7)

Proposed resolution

Test with 4.1.3 or wait for 3.x release with back ported fix from 4.1.3.

Remaining tasks

Testing with 4.1.3.
Cut a new release with updated dependency.

📌 Task

Status

Active

Version

2.0

Component

Miscellaneous

Created by

🇺🇸United States utcwebdev

Live updates comments and jobs are added and updated live.

composer update

Sign in to follow issues

Merge Requests

!12netcarver/textile security: XSS vulnerability
Merged
🇩🇪Germany volkerk
updated 9 months ago

Comments & Activities

Issue created by @utcwebdev
First commit to issue fork.
Merge request !12Issue #3498237: netcarver/textile security: XSS vulnerability → (Merged) created by volkerk
Comment 10 months ago →
🇩🇪Germany volkerk
Comment 9 months ago →
🇩🇪Germany daniel.bosen
Comment 9 months ago →
🇩🇪Germany volkerk
Comment 9 months ago →
🇩🇪Germany IT-Cru Munich
Changes of MR looks fine for me. Question would be if there are any compatibility issues when switching from 3.x to 4.x of netcarver/textile library because 3.x is now over 2 years old.

Is there any PHP Unit testing in paragraphs_paste module which run some netcarver/textile related tests?
Comment 9 months ago →
System Message

volkerk → committed 5cc3038a on 2.x
Issue #3498237: netcarver/textile security: XSS vulnerability
Comment 9 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024