Handle data-URLs in safe mode.

Fix #383.
Kozea · Apr 18, 2023 · 2cbe306 · 2cbe306
1 parent 33007d4
commit 2cbe306
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/cairosvg/parser.py b/cairosvg/parser.py
@@ -14,7 +14,7 @@
 from . import css
 from .features import match_features
 from .helpers import flatten, pop_rotation, rotations
-from .url import fetch, parse_url, read_url
+from .url import fetch, parse_url, read_url, safe_fetch
 
 # 'display' is actually inherited but handled differently because some markers
 # are part of a none-displaying group (see test painting-marker-07-f.svg)
@@ -393,8 +393,7 @@ def __init__(self, **kwargs):
 
         # Don’t allow fetching external files unless explicitly asked for
         if 'url_fetcher' not in kwargs and not unsafe:
-            self.url_fetcher = (
-                lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
+            self.url_fetcher = safe_fetch
 
         self.xml_tree = tree
         root = cssselect2.ElementWrapper.from_xml_root(tree)

diff --git a/cairosvg/url.py b/cairosvg/url.py
@@ -84,6 +84,17 @@ def fetch(url, resource_type):
     return urlopen(Request(url, headers=HTTP_HEADERS)).read()
 
 
+def safe_fetch(url, resource_type):
+    """Fetch the content of ``url`` only if it’s a data-URL.
+
+    Otherwise, return an empty SVG.
+
+    """
+    if url and url.startswith('data:'):
+        return fetch(url, resource_type)
+    return b'<svg width="1" height="1"></svg>'
+
+
 def parse_url(url, base=None):
     """Parse an URL.