Advisories for Npm/@Sveltia/Cms package

A stored cross-site scripting (XSS) vulnerability affected the Markdown/RichText field preview renderer in Sveltia CMS. The DOMPurify sanitization configuration used for Markdown previews explicitly permitted iframe elements without enforcing a sandbox attribute or restricting iframe sources. Sanitized Markdown output was then inserted into the CMS preview DOM as raw HTML. Because no sandboxing or source validation was applied, a Markdown field containing an iframe whose src pointed to a same-origin …

A stored cross-site scripting (XSS) vulnerability affected entry summary rendering in Sveltia CMS. Entry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or event handler attributes, to become active HTML after sanitization. When the resulting summary was rendered in the CMS UI, arbitrary JavaScript could execute in the browser of a user viewing …