xlink:href filtering (particularly in <use>)

[phinch]

When filtering SVGs, DOMPurify seems to be over-eager in eliminating certain tags - I noticed it in one of my SVG <use> tags being removed. Specifically, I defined a path in an SVG file and then referred to it using a use tag later in the document:

<defs>
    <path id="path-1" d="M11.2357619,11.3004444 ..."></path>
</defs>
...
<mask id="mask-2" sketch:name="Clip 12" fill="white">
    <use xlink:href="#path-1"></use>
</mask>

but after being sanitized, the <mask> became:

<mask id="mask-2" sketch:name="Clip 12" fill="white">

</mask>

with the <use> tag removed, and the SVG image was thus missing that element when it was loaded.

In my understanding, it should be safe to have internal references in xlink:href paths like I had above, so long as other scripts in the file are sanitized. Is there any way to improve the sanitizer to only block dangerous (e.g. cross-origin) hrefs inside <use> tags?

[cure53]

Hmmm, I think blocking only cross-origin xlink:href for <use> but allowing same-origin is risky as all you need to make an XSS out of it is an Open Redirect on the affected website.

I would recommend working with a hook, that checks if the xlink:href starts with # and then permit it. Should be easily doable by allowing <use> via config and then using a hook like afterSanitizeAttributes.

Would that work for you?

[cure53]

I think this might do, no?

<!doctype html>
<html>
    <head>
        <script src="../purify.js"></script>
    </head>
    <body>
        <!-- Now let's sanitize that content -->
        <script>
            'use strict';
           
            DOMPurify.addHook('afterSanitizeAttributes', function(node){
                if(node.hasAttribute('xlink:href') && !node.getAttribute('xlink:href').match(/^#/)){
                    node.remove();
                } 
            });

            // Clean HTML string and write into our DIV
            var clean = DOMPurify.sanitize("<svg>\
                <use xlink:href='#foo' />\
                <use xlink:href='//evil' />\
            </svg>", {ADD_TAGS: ['use']});
            console.dir(clean);
        </script>
    </body>
</html>

[phinch]

That looks good to me, thanks! I'm still pretty unfamiliar with XSS, so I wasn't sure if it was possible to sneak some javascript in after the #, but this works great for me. Thanks!

[rodrigofariow]

Glad there is a work around for this! :)

#233 (comment)

Is there a reason why this is not done by default, though? Performance related?
I feel like it's a relatively common use case to have use tags on svgs.

Thank you for your time.