SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027
For me personally the most interesting part of this vulnerability is how it can be exploited as not all browsers are affected, but unfortunately nowadays almost all major ones are.
Further details are under this link: https://hackerone.com/reports/148853
In order to test the vulnerability on your own SVG formatter or similar solution, take this example, save it in an SVG file or just simply let your site execute/embed it. If the sanitization is not properly done, you'll see a pop-up saying "This app is probably vulnerable to XSS attacks!"
The solution that also svg_formatter contrib delivers is to use this library: https://packagist.org/packages/enshrined/svg-sanitize It is worth mentioning that, including the library was already available by the dev version of the module, we've just managed to push it in a stable release with a default setting and requiring the library to be present by the fix.
Also thanks to the maintainer who worked with us very well and followed our procedure: https://www.drupal.org/u/gnikolovski It was a great pleasure to work with You and thanks again for your comments!