The Drupal Security Team announced on March 9th, 2022 a critical cross-site scripting (XSS) error in SVG Formatter SA-CONTRIB-20220-028. The security risk is classified critical because of the rating 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All.

The dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability. Jeroen Tubex of IO reported the vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

You May Like

Blog

Behind the Scenes: Drupal's Footprint in Top Universities

Blog

Behind the Scenes: Drupal's Footprint in Top Universities

SVG Formatter module provides support for using SVG images on your website. The standard image field in Drupal 9 doesn't support SVG images. This module adds a new formatter for the file field, which allows files with any extension to be uploaded.

Solution:

Update the module (8.x-1.17 or 2.0.1) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library. Goran Nikolovski of Studio Present fixed the issue coordinated by Damien McKenna, Lee Rowlands and Greg Knaddison of the Drupal Security team.

The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command:

composer update --with-dependencies drupal/svg_formatter

More About the SVG Formatter Project

The inline SVG option also allows you to add some CSS and Javascript magic to your SVG images. You can also use this module in combination with SVG Image module. If that module is installed, you can use the SVG Formatter for the image field.

4,121 sites currently report using this module. The module is compatible with the Drupal 9.2 version and Version 2 of the module is compatible with Drupal 10 that is yet to be officially released.

Source:
SA-CONTRIB-2022-028
SVG Formatter Project