Cross-Site Scripting in scratch-svg-rendererscratch-svg-renderer
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
Upgrade to version 0.2.0-prerelease.20201019174008 or later.
publishedAdvisory PublishedNov 9th, 2020
reportedReported by UnknownNov 9th, 2020