Darylldoyle Svg-Sanitizer Cross-Site Scripting Vulnerability via Mixed-Case Xlink Attributes

A cross-site scripting vulnerability has been identified in the Darylldoyle Svg-Sanitizer package, specifically in versions prior to 0.22.0. The issue arises in the 'cleanXlinkHrefs' method, where the sanitization process only recognizes lower-case attribute names. This oversight allows for the bypassing of the 'isHrefSafeValue' check, potentially leading to the execution of malicious scripts or the creation of links to external domains.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks or the creation of links to external domains, which could be used for phishing or other malicious purposes.

Reproduction

To reproduce this vulnerability, create an SVG file that includes a link with a mixed-case 'xlink:href' attribute, such as 'xlink:hReF'. The 'cleanXlinkHrefs' method will not properly sanitize this attribute, allowing the link to bypass safety checks and potentially execute JavaScript, such as an alert displaying the current domain.

Remediation

Users can upgrade to Darylldoyle Svg-Sanitizer version 0.22.0 or later to address this vulnerability.