Browse Source

Update librairie SVG sanitizer en incluant https://github.com/darylldoyle/svg-sanitizer/pull/28

issue_4494
cedric@yterium.com 3 years ago
parent
commit
4f3d5560ef
  1. 13
      lib/svg-sanitizer/src/Sanitizer.php
  2. 7
      lib/svg-sanitizer/src/data/AllowedAttributes.php
  3. 15
      lib/svg-sanitizer/src/data/AllowedTags.php

13
lib/svg-sanitizer/src/Sanitizer.php

@ -273,7 +273,7 @@ class Sanitizer
$currentElement = $elements->item($i);
// If the tag isn't in the whitelist, remove it and continue with next iteration
if (!in_array(strtolower($currentElement->tagName), $this->allowedTags)) {
if (!in_array(strtolower($currentElement->localName), $this->allowedTags)) {
$currentElement->parentNode->removeChild($currentElement);
$this->xmlIssues[] = array(
'message' => 'Suspicious tag \'' . $currentElement->tagName . '\'',
@ -288,7 +288,7 @@ class Sanitizer
$this->cleanHrefs($currentElement);
if (strtolower($currentElement->tagName) === 'use') {
if (strtolower($currentElement->localName) === 'use') {
if ($this->isUseTagDirty($currentElement)) {
$currentElement->parentNode->removeChild($currentElement);
$this->xmlIssues[] = array(
@ -311,13 +311,14 @@ class Sanitizer
for ($x = $element->attributes->length - 1; $x >= 0; $x--) {
// get attribute name
$attrName = $element->attributes->item($x)->name;
$nodeName = $element->attributes->item($x)->nodeName;
// Remove attribute if not in whitelist
if (!in_array(strtolower($attrName), $this->allowedAttrs) && !$this->isAriaAttribute(strtolower($attrName)) && !$this->isDataAttribute(strtolower($attrName))) {
$element->removeAttribute($attrName);
$element->removeAttribute($nodeName);
$this->xmlIssues[] = array(
'message' => 'Suspicious attribute \'' . $attrName . '\'',
'message' => 'Suspicious attribute \'' . $nodeName . '\'',
'line' => $element->getLineNo(),
);
}
@ -326,9 +327,9 @@ class Sanitizer
if($this->removeRemoteReferences) {
// Remove attribute if it has a remote reference
if (isset($element->attributes->item($x)->value) && $this->hasRemoteReference($element->attributes->item($x)->value)) {
$element->removeAttribute($attrName);
$element->removeAttribute($nodeName);
$this->xmlIssues[] = array(
'message' => 'Suspicious attribute \'' . $attrName . '\'',
'message' => 'Suspicious attribute \'' . $nodeName . '\'',
'line' => $element->getLineNo(),
);
}

7
lib/svg-sanitizer/src/data/AllowedAttributes.php

@ -46,6 +46,7 @@ class AllowedAttributes implements AttributeInterface
'disabled',
'download',
'enctype',
'encoding',
'face',
'for',
'headers',
@ -269,6 +270,7 @@ class AllowedAttributes implements AttributeInterface
'values',
'viewbox',
'visibility',
'version',
'vert-adv-y',
'vert-origin-x',
'vert-origin-y',
@ -349,6 +351,11 @@ class AllowedAttributes implements AttributeInterface
'xlink:title',
'xml:space',
'xmlns:xlink',
// RDF
'about',
'resource',
);
}
}

15
lib/svg-sanitizer/src/data/AllowedTags.php

@ -239,7 +239,20 @@ class AllowedTags implements TagInterface
'munderover',
//text
'#text'
'#text',
// metadata area
// RDF
'rdf',
// creativecommons
'permits',
'license',
'agent',
'work',
// Dublin core
'publisher',
'type',
'format',
);
}
}

Loading…
Cancel
Save