github awcodes/filament-curator v3.7.9

latest releases: v5.1.2, v4.1.2
10 hours ago

Security

Backports the fix for a stored XSS vulnerability (CWE-79, CVSS 5.4 Moderate): SVG files
uploaded through the Curator panel were served inline without sanitization, allowing embedded
JavaScript to execute in the application's origin when a user opened the file via the
View action. SVG uploads are now sanitized (scripts, event handlers, and remote
references stripped) before being written to storage.

After upgrading, run php artisan curator:sanitize-svgs to clean any SVGs uploaded before
this release (use --dry-run to preview first).

See the security advisory for full details:
GHSA-8vm9-f75m-5h2m

Dependencies

  • Added enshrined/svg-sanitize.

Full Changelog: v3.7.8...v3.7.9

Don't miss a new filament-curator release

NewReleases is sending notifications on new releases.