Skip to content

[4.x] SVG tag sanitization #8408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 5, 2023
Merged

[4.x] SVG tag sanitization #8408

merged 3 commits into from
Jul 5, 2023

Conversation

jasonvarga
Copy link
Member

@jasonvarga jasonvarga commented Jul 5, 2023

This PR adds a sanitize param to the svg tag battle potential XSS issues.

It uses https://github.com/darylldoyle/svg-sanitizer which is a PHP implementation of the popular DOMPurify library. https://github.com/cure53/DOMPurify

Note: This package was swapped out in #8428.

The svg tag will now let you add sanitize="true" and will trigger the sanitization.

{{ svg src="..." sanitize="true" }}
<svg><path onclick="foo">...</path><script>alert('foo')</script></svg>
<svg><path>....</path></svg>

You may specify additional attributes or tags to be allowed through the sanitizer:

{{ svg src="..." sanitize="true" allow_attrs="onclick|onload" allow_tags="mesh|foreignObject" }}

We are leaving it as opt-in otherwise it would be a breaking change. In Statamic 5 we will make it sanitize by default.

@jasonvarga jasonvarga merged commit c714893 into 4.x Jul 5, 2023
@jasonvarga jasonvarga deleted the sanitize-svg branch July 5, 2023 16:27
@simonhamp
Copy link
Contributor

simonhamp commented Jul 5, 2023

@jasonvarga Will this also strip<?xml ?> nodes from SVGs?

While not a problem in normal usage, I've noted when using the SSG (specifically the ssg:serve command), any XML tags will attempt to be parsed by PHP

@jasonvarga
Copy link
Member Author

Will this also strip <?xml ?> nodes from SVGs?

No. If you have an xml tag in there, it'll stay.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants