🚨 Improving SVG Handling: Security & Safety Enhancements

[mayank1513]

We’ve recently improved how @m2d/image handles SVG parsing.

Previously, raw SVG strings were directly attached to the DOM for cropping away extra spaces. While usage was limited, this introduced a theoretical XSS / DOM injection risk if SVG input came from an untrusted @source.

✅ Fix included in latest release:

• SVGs are now parsed safely via @svg-fns/io before attaching to the DOM.
• Prevents malicious or malformed SVGs from injecting unsafe attributes or scripts.

💡 Why this matters:

• Most users work with trusted SVG sources (e.g., Mermaid, diagrams, charts).
• So this was not a high-severity issue — but we take security hygiene seriously.
• This change reflects our commitment to safe defaults and protecting downstream projects.

📌 What you should do:

• No action required if you’re already on the latest release — the fix is included.
• If you’re on an older version, upgrading is recommended.

🙏 Thanks to the community members who raise thoughtful issues and contribute fixes. This project stays strong because of your support.

“Security isn’t a one-time patch, it’s an ongoing commitment — we’ll continue tightening safeguards as the ecosystem grows”

[mayank1513]

#7