java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Incorrect escaping for inline svg+xml data image

Open brsyuksel opened this issue 3 years ago • 0 comments

HtmlSanitizer encodes the given input to <img src="data:image/svg&#43;xml" /> that should be <img src="data:image/svg+xml" />

Since svg&#43;xml is not recognizable mimetype for browsers, they are just ignored.

brsyuksel avatar Jul 27 '22 15:07 brsyuksel