X Tutup
Skip to content

fix: sanitize SVG#41234

Merged
DeepDiver1975 merged 1 commit intomasterfrom
fix/svg-href
Apr 16, 2024
Merged

fix: sanitize SVG#41234
DeepDiver1975 merged 1 commit intomasterfrom
fix/svg-href

Conversation

@DeepDiver1975
Copy link
Member

@DeepDiver1975 DeepDiver1975 commented Apr 15, 2024
edited
Loading

Description

SVG xlink:href will now completely be blocked as well as other image tag to harden SVG support.

Motivation and Context

Harden SVG support

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:
  • Changelog item, see TEMPLATE

@update-docs
Copy link

update-docs bot commented Apr 15, 2024

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 15, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
62.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

This was referenced Apr 16, 2024
Closed
Closed
IljaN
IljaN reviewed Apr 16, 2024
View reviewed changes
composer.json
"phpseclib/phpseclib": "^3.0",
"pimple/pimple": "^3.5",
"punic/punic": "^3.8",
"rhukster/dom-sanitizer": "dev-main",
Copy link
Contributor

@IljaN IljaN Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to pin this specifically to commit: rhukster/dom-sanitizer@757e4d6

Copy link
Member Author

@DeepDiver1975 DeepDiver1975 Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The explicit commit is pinned in compose.lock

Copy link
Contributor

@IljaN IljaN Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't this automatically pull HEAD on every composer install on a fresh system?

Copy link
Member Author

@DeepDiver1975 DeepDiver1975 Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no -composer install operate on the lock file. lock file is updated via composer update

dont get confused with npm .....

Copy link
Contributor

@IljaN IljaN Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✔️

IljaN
IljaN approved these changes Apr 16, 2024
View reviewed changes
composer.json
"phpseclib/phpseclib": "^3.0",
"pimple/pimple": "^3.5",
"punic/punic": "^3.8",
"rhukster/dom-sanitizer": "dev-main",
Copy link
Contributor

@IljaN IljaN Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✔️

@DeepDiver1975 DeepDiver1975 merged commit 2a51c4d into master Apr 16, 2024
@delete-merged-branch delete-merged-branch bot deleted the fix/svg-href branch April 16, 2024 10:15
@DeepDiver1975
Copy link
Member Author

DeepDiver1975 commented Apr 16, 2024

damit - changelog is missing .... will come up with another pr ...

DeepDiver1975 added a commit that referenced this pull request Apr 16, 2024
@DeepDiver1975
chore: add changelog item for #41234
0c07888
@DeepDiver1975 DeepDiver1975 mentioned this pull request Apr 16, 2024
Merged
phil-davis added a commit that referenced this pull request Apr 16, 2024
@phil-davis
Merge pull request #41235 from owncloud/chore/changelog-41234
c107927 
chore: add changelog item for #41234
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@IljaN IljaN IljaN approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DeepDiver1975 @IljaN
X Tutup