there is a security vulnerability in svgSalamander:
The problem occurs when including raster/svg images via <image>.
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"
--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?
--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.
--> Can we discuss how to fix this?
Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?
Cheers and Best Regards,
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.