I found a context confusion in svg-sanitizer library. it sanitizes SVG for XML context (case-sensitive) but when the SVG is inlined in HTML (case-insensitive), you can bypass the filter. xlink:hReF gets through because XML is case-sensitive, but HTML doesn’t care about case, so XSS happens.

the bug

svg-sanitizer is used by a bunch of projects (TYPO3, CraftCMS, Contao, etc.) to clean up potentially malicious SVG files.

here’s the problem: XML is case-sensitive, HTML is not.

the library filters dangerous attributes like xlink:href in XML context. but if you use xlink:hReF (weird casing), the sanitizer ignores it because that’s not valid XML.

when you inline that “sanitized” SVG into HTML though? HTML doesn’t care about case. xlink:hReF works just fine. boom, XSS.

PoC

upload an SVG with:

<svg xmlns="http://www.w3.org/2000/svg">
  <a xlink:hReF="javascript:alert(1)">
    <rect width="100" height="100"/>
  </a>
</svg>

sanitizer: “xlink:hReF? not valid XML, I’ll leave it alone”

browser rendering inline SVG: “xlink:href? cool, let me execute that javascript”

impact

affects any project using svg-sanitizer that inlines SVGs in HTML. reported it to TYPO3 first.

details

  • CVE: CVE-2025-55166
  • GitHub Advisory: GHSA-22wq-q86m-83fh
  • affects: svg-sanitizer < 0.21.0, TYPO3, and many others.