From 66c7da394af8d987b2c1876b57c06dc7afe3d872 Mon Sep 17 00:00:00 2001 From: Duncan McClean Date: Mon, 13 Apr 2026 09:15:56 +0100 Subject: [PATCH 1/2] bump `rhukster/dom-sanitizer` --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 7292c381cfa..28570652a1d 100644 --- a/composer.json +++ b/composer.json @@ -27,7 +27,7 @@ "pixelfear/composer-dist-plugin": "^0.1.4", "pragmarx/google2fa": "^8.0 || ^9.0", "rebing/graphql-laravel": "^9.15", - "rhukster/dom-sanitizer": "^1.0.7", + "rhukster/dom-sanitizer": "^1.0.10", "spatie/blink": "^1.3", "spatie/error-solutions": "^1.0 || ^2.0", "statamic/stringy": "^3.1.2", From b31835577f816991e833210dfd773f61b4a8aa1e Mon Sep 17 00:00:00 2001 From: Duncan McClean Date: Mon, 13 Apr 2026 09:16:17 +0100 Subject: [PATCH 2/2] sanitize style tags before passing to dom-sanitizer --- src/Support/Svg.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Support/Svg.php b/src/Support/Svg.php index eaedbb92c3c..56e1d334ba9 100644 --- a/src/Support/Svg.php +++ b/src/Support/Svg.php @@ -20,11 +20,11 @@ public static function sanitize(string $svg, ?DOMSanitizer $sanitizer = null): s { $sanitizer = $sanitizer ?? new DOMSanitizer(DOMSanitizer::SVG); - $svg = $sanitizer->sanitize($svg, [ + $svg = static::sanitizeStyleTags($svg); + + return $sanitizer->sanitize($svg, [ 'remove-xml-tags' => ! Str::startsWith($svg, '