Closed ohader closed 11 months ago
How to continue with this PR? As it turned out these changes were not necessary and did NOT fix a vulnerability...
Basically, I'd like to get rid of the superfluous dependency to ezyang/htmlpurifier
.
Any plans on releasing a version that includes this change?
To install enshrined/svg-sanitize
without htmlpurifier I have to use the dev-master
version currently.
UPDATE: Sorry, I just now found that this was already asked for in https://github.com/darylldoyle/svg-sanitizer/issues/97#issuecomment-1898208024
see commit https://github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322
This change partially reverts changes of the mentioned commit, see https://github.com/darylldoyle/svg-sanitizer/issues/88 for details.
ezyang/htmlpurifier
and its invocationAllowedTags
(fine as regular bugfix, but did not qualify for a security fix)CVE-2023-28426 does not fix a real vulnerability and will be requested to be rejected in the CVE process at cve.mitre.org.
Fixes: #88