Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDATA section is removed #70

Closed
jkanape opened this issue Feb 14, 2022 · 1 comment · Fixed by #72
Closed

CDATA section is removed #70

jkanape opened this issue Feb 14, 2022 · 1 comment · Fixed by #72

Comments

@jkanape
Copy link

jkanape commented Feb 14, 2022

From version 15.0 CDATA nodes are removed.

Example document:

<svg>
<defs>
  <style type="text/css"><![CDATA[
        .fil0 {fill:#FF0000}
   ]]></style>
 </defs>
</svg>

Result from 15.0 (15.1, 15.2):

<svg>
    <defs>
      <style type="text/css"></style>
    </defs>
</svg>

Suspicious node '#cdata-section'

Result before 15.0 (14.1):

<svg>
  <defs>
    <style type="[text/css]()"><![CDATA[
        .fil0 {fill:#00994E}
   ]]></style>
  </defs>
</svg>

Can't find a way to add #cdata-section to safe nodes, as list is hardcoded

$safeNodes = [
    '#text',
];
@ohader ohader mentioned this issue Feb 14, 2022
Closed
ohader added a commit to ohader/svg-sanitizer that referenced this issue Feb 14, 2022
@ohader
[BUGFIX] Allow DOMText and implicitly DOMCdataSection
caa540b 
Recent change disallowed CDATA sections, however the actual fix
would have been to disallow non SVG-elements when used inline in
some HTML-context.

Resolves: darylldoyle#70
@ohader ohader mentioned this issue Feb 14, 2022
Merged
@zcorpan
Copy link

zcorpan commented Feb 16, 2022

As I commented in GHSA-fqx8-v33p-4qcc

So are CDATA sections always removed? That seems a bit overkill, replacing them with text nodes with the same data should be safe and not remove legitimate information.

ohader added a commit to ohader/svg-sanitizer that referenced this issue Feb 17, 2022
@ohader
[BUGFIX] Allow DOMText and implicitly DOMCdataSection
16bc4f6 
Recent change disallowed CDATA sections, however the actual fix
would have been to disallow non SVG-elements when used inline in
some HTML-context.

Resolves: darylldoyle#70
andreaskienast pushed a commit to TYPO3GmbH/svg-sanitize-elts7 that referenced this issue Feb 22, 2022
@ohader @andreaskienast
[BUGFIX] Allow DOMText and implicitly DOMCdataSection
2fc019b 
Recent change disallowed CDATA sections, however the actual fix
would have been to disallow non SVG-elements when used inline in
some HTML-context.

Resolves: darylldoyle#70
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[BUGFIX] Allow DOMText and implicitly DOMCdataSection ohader/svg-sanitizer
2 participants
@zcorpan @jkanape