New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SVG data-URI image being removed #205
Comments
This indeed causes XSS in older Opera versions (especially the releases from 9.x to 12.x) but then again, everything causes XSS in older Opera. It is futile to attempt XSS protection for this train-wreck of a browser so I think we're okay to permit data URIs for SVG :D I would propose to simply whitelist them and thereby fix this issue, sounds good? |
That sounds good to me. Will that require code change on source, or is there something I can do in the meantime? Thanks! |
I'll do the change today! |
Okay, so the latest commit should behave as expected, can you gibe it a try please? |
The tests are green, closing this one for now. please reopen if anything is missing! |
Works great! Thank you very much. |
Cool :) |
I can confirm that, now in 2020, this is no longer working. Why is DOMPurify so hard on data URLs? It doesn't seem to allow any. |
Because up until 2019, several browsers did not interact securely with those. If there is cases we block where you would say they should be allowed, we can always look into it. |
I have a problem right now, and an impasse with Mozilla because they allow only DOMPurify as a sanitizer. Look at issue #430 |
Background & Context
I'm trying to cleanse the SVG output of a third-party diagramming tool. This tool draws some SVG elements using the
<image>
tag andxlink:href="data:image/svg+xml..."
attribute.Bug
DOMPurify strips out the
xlink:href="data:image/svg+xml..."
attribute completely. I've tried allowingxlink:href
using the following statement, but it does not work:Input
Given output
Expected output
I'm trying to figure this part out. It sounds like the input code may cause XSS issues with Opera (per #148). So is the input code recommended, or should I transform it to something else?
The text was updated successfully, but these errors were encountered: