Utilize DOMPurify hooks to preserve <use> elements in playground mode #156

listopadiya · 2020-10-05T13:55:04Z

Closes #155.

<use> tags were filtered out after sanitization, but with DOMPurify hooks this problem can be solved (regular expression still filter out links to external resources in the interest of security).

Can be checked in playground with following SVG code:

<svg xmlns="http://www.w3.org/2000/svg" width="200" height="100" viewBox="0 0 200 100">
  <style type="text/css">
    use { fill: orange; }
  </style>
  <g class="special" style="fill: blue">
    <g id="face">
      <circle cx="50" cy="50" r="40" stroke="#000000" />
      <circle cx="30" cy="40" r="5" fill="#000000" />
      <circle cx="70" cy="40" r="5" fill="#000000" />
      <path
        fill="none"
        stroke="#000000"
        stroke-width="3"
        stroke-linecap="round"
        d="M30,60 C30,80 70,80 70,60" />
    </g>
  </g>
  <use xlink:href="#face" x="100" />
</svg>

Before PR

After PR

HackbrettXXX

Thanks for the PR :)

HackbrettXXX · 2020-10-06T08:45:40Z

playground/index.js

@@ -1,6 +1,12 @@
 const { jsPDF } = window.jspdf
 const DOMPurify = window.DOMPurify

+DOMPurify.addHook('afterSanitizeAttributes', node => {
+  if(node.hasAttribute('xlink:href') && !node.getAttribute('xlink:href').match(/^#/)) {


We should also check the href attribute without the xlink namespace.

Good point, I didn't know that it is deprecated in SVG 2. I have amended the commit and also added playground to prettier check.

HackbrettXXX · 2020-10-06T09:09:33Z

package.json

@@ -25,7 +25,7 @@
    "test-typescript": "karma start ./test/deployment/typescript/karma.conf.js",
    "test:ci": "cross-env SHOW_DIFF=true npm run test",
    "createreferences": "node test/common/reference-server.js",
-    "prettier": "prettier --write {src,tests,typings}/**/*.{ts,js}",
+    "prettier": "prettier --write {playground,src,tests,typings}/**/*.{ts,js}",
    "lint": "eslint {src,tests,typings}/**/*.{ts,js}"


Sorry for nitpicking, but we should also add it to the lint task then.

Makes sense, I updated that 👌

HackbrettXXX

Alright. Thanks for the PR :)

HackbrettXXX requested changes Oct 6, 2020

View reviewed changes

listopadiya force-pushed the bugfix/playgound-use-tag branch from ff40942 to 7a86f13 Compare October 6, 2020 09:03

HackbrettXXX requested changes Oct 6, 2020

View reviewed changes

Utilize DOMPurify hooks to preserve <use> elements in playground mode

9880623

listopadiya force-pushed the bugfix/playgound-use-tag branch from 7a86f13 to 9880623 Compare October 6, 2020 09:14

HackbrettXXX approved these changes Oct 6, 2020

View reviewed changes

HackbrettXXX merged commit efd36ea into yWorks:master Oct 6, 2020

HackbrettXXX added the hacktoberfest-accepted label Oct 6, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Utilize DOMPurify hooks to preserve <use> elements in playground mode #156

Utilize DOMPurify hooks to preserve <use> elements in playground mode #156

listopadiya commented Oct 5, 2020

HackbrettXXX left a comment

HackbrettXXX Oct 6, 2020

listopadiya Oct 6, 2020

HackbrettXXX Oct 6, 2020

listopadiya Oct 6, 2020

HackbrettXXX left a comment

Utilize DOMPurify hooks to preserve <use> elements in playground mode #156

Utilize DOMPurify hooks to preserve <use> elements in playground mode #156

Conversation

listopadiya commented Oct 5, 2020

HackbrettXXX left a comment

Choose a reason for hiding this comment

HackbrettXXX Oct 6, 2020

Choose a reason for hiding this comment

listopadiya Oct 6, 2020

Choose a reason for hiding this comment

HackbrettXXX Oct 6, 2020

Choose a reason for hiding this comment

listopadiya Oct 6, 2020

Choose a reason for hiding this comment

HackbrettXXX left a comment

Choose a reason for hiding this comment