Nougat Predominant Middleware
Severity: high

Cross-Site Scripting in scratch-svg-renderer



This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.


Upgrade to version 0.2.0-prerelease.20201019174008 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Nov 9th, 2020
  2. reported

    Reported by Unknown
    Nov 9th, 2020