Bypass SVG follow https://github.com/darylldoyle/svg-sanitizer/issues/31

[dinhbaouit]

Just notice for bypass this issue:
darylldoyle/svg-sanitizer#31
POC: https://www.youtube.com/watch?v=hnQA2hc-4_k&feature=youtu.be

[darylldoyle]

@dinhbaouit I've pushed a proposed fix for this to https://github.com/darylldoyle/svg-sanitizer/tree/fix/31-xss.

Any chance you can double check this Fixes the issue for me please? If there’s anything else you think I should look out for, I’d love to hear it :)

[dinhbaouit]

Yah, but I thing best way you can do is using white list
I see your white list in cleanXlinkHrefs is good.
https://github.com/darylldoyle/svg-sanitizer/blob/master/src/Sanitizer.php#L372

[darylldoyle]

I see what you mean. I could do something similar and check for URLs starting with one of the following: https://, http://, / or #. I can't think of any others that would allow non-standard URIs through. That should stop all scripts from slipping through, shouldn't it?

[darylldoyle]

@dinhbaouit, I've updated the sanitiser to use a whitelist for these values rather than a regex now. Good idea, thanks for that 🙂

Any chance you can look over darylldoyle/svg-sanitizer@6421560 and let me know if you can see any potential issues before I merge please?

[dinhbaouit]

Yah, I think this is the best way. Now it is really safe :))