Cross-Site Scripting in scratch-svg-renderer
High severity
GitHub Reviewed
Published
Nov 9, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Package
Affected versions
<= 0.2.0-prerelease.20201016121710
Patched versions
0.2.0-prerelease.20201019174008
Description
Reviewed
Nov 9, 2020
Published to the GitHub Advisory Database
Nov 9, 2020
Last updated
Jan 9, 2023
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
References