Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should xlink:href always be removed? #10

Closed
niklashultstrom opened this issue May 10, 2017 · 2 comments
Closed

Should xlink:href always be removed? #10

niklashultstrom opened this issue May 10, 2017 · 2 comments

Comments

@niklashultstrom
Copy link

niklashultstrom commented May 10, 2017
edited
Loading

Hello! Glad someone finally took on the SVG mess on WP :)

I ran in to this issue though, causing the SVG image not to display:

Before

<clipPath id="SVGID_2_">
 <use xlink:href="#SVGID_1_"  overflow="visible"/>
</clipPath>

After (upload)

<clipPath id="SVGID_2_">
</clipPath>

Similair with the image element, though just removing the xlink:href attribute:

Before

<image overflow="visible" width="66" height="77" xlink:href="data:image/jpeg;base64,/9j/4AA...jbf8ADaP/2Q==" transform="matrix(0.48 0 0 0.48 521.2959 384.499)">

After

<image overflow="visible" width="95" height="77" transform="matrix(0.48 0 0 0.48 638.2959 384.499)">

Which makes me wonder if xlink:href should be removed when containing just an #id or an base64 data-image.
@darylldoyle
Copy link
Owner

Hi @niklashultstrom,

The xlink:href attribute is not removed in the sanitiser.

In your first example, you're using the use element. This is stripped from the file, rather than the xlink:href attribute. This is inline with the sanitisation of DOMPurify.

In your second example, again the xlink:href attribute is not removed but the image element you've supplied is invalid XML and therefore the sanitiser fails to parse it and instead returns false.
This can be fixed by either self closing the image element, or supplying a closing tag.

<image overflow="visible" width="66" height="77" xlink:href="data:image/jpeg;base64,/9j/4AA...jbf8ADaP/2Q==" transform="matrix(0.48 0 0 0.48 521.2959 384.499)" />

<image overflow="visible" width="66" height="77" xlink:href="data:image/jpeg;base64,/9j/4AA...jbf8ADaP/2Q==" transform="matrix(0.48 0 0 0.48 521.2959 384.499)"></image>

To see this in action try passing through the following strings at http://svg.enshrined.co.uk/ and you will see the difference:

<svg xmlns="http://www.w3.org/2000/svg"> <image overflow="visible" width="66" height="77" xlink:href="data:image/jpeg;base64,/9j/4AA...jbf8ADaP/2Q==" transform="matrix(0.48 0 0 0.48 521.2959 384.499)"> </svg>

<svg xmlns="http://www.w3.org/2000/svg"> <image overflow="visible" width="66" height="77" xlink:href="data:image/jpeg;base64,/9j/4AA...jbf8ADaP/2Q==" transform="matrix(0.48 0 0 0.48 521.2959 384.499)" /> </svg>

@kent1D
Copy link

kent1D commented Oct 31, 2017

Hmmm, that would be nice to make the same as this : cure53/DOMPurify#233

The usage of <use... with relative content is frequent

@kent1D kent1D mentioned this issue Oct 31, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kent1D @niklashultstrom @darylldoyle