Closed jkanape closed 2 years ago
As I commented in https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-fqx8-v33p-4qcc
So are CDATA sections always removed? That seems a bit overkill, replacing them with text nodes with the same data should be safe and not remove legitimate information.
From version 15.0 CDATA nodes are removed.
Example document:
Result from 15.0 (15.1, 15.2):
Suspicious node '#cdata-section'
Result before 15.0 (14.1):
Can't find a way to add
#cdata-section
to safe nodes, as list is hardcoded