Revert changes introduced for GHSA-xrqq-wqh4-5hg2 (CVE-2023-28426)

ohader commented 1 year ago

see commit https://github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322

This change partially reverts changes of the mentioned commit, see https://github.com/darylldoyle/svg-sanitizer/issues/88 for details.

remove package ezyang/htmlpurifier and its invocation
adjust modified and newly introduced tests (they were correct before)
but: keep changes concerning removed non-SVG tags from AllowedTags (fine as regular bugfix, but did not qualify for a security fix)

CVE-2023-28426 does not fix a real vulnerability and will be requested to be rejected in the CVE process at cve.mitre.org.

Fixes: #88

ohader commented 1 year ago

How to continue with this PR? As it turned out these changes were not necessary and did NOT fix a vulnerability... Basically, I'd like to get rid of the superfluous dependency to ezyang/htmlpurifier.

ausi commented 5 months ago

Any plans on releasing a version that includes this change? To install enshrined/svg-sanitize without htmlpurifier I have to use the dev-master version currently.

UPDATE: Sorry, I just now found that this was already asked for in https://github.com/darylldoyle/svg-sanitizer/issues/97#issuecomment-1898208024

darylldoyle / svg-sanitizer

Revert changes introduced for GHSA-xrqq-wqh4-5hg2 (CVE-2023-28426) #89