diff --git a/lib/svg-sanitizer/src/Sanitizer.php b/lib/svg-sanitizer/src/Sanitizer.php
index b621987985e285b37899e4a142e2d9ef2b31ce44..266ea9d8897d66e950f7e5f74171aea10a8a9424 100644
--- a/lib/svg-sanitizer/src/Sanitizer.php
+++ b/lib/svg-sanitizer/src/Sanitizer.php
@@ -273,7 +273,7 @@ class Sanitizer
$currentElement = $elements->item($i);
// If the tag isn't in the whitelist, remove it and continue with next iteration
- if (!in_array(strtolower($currentElement->tagName), $this->allowedTags)) {
+ if (!in_array(strtolower($currentElement->localName), $this->allowedTags)) {
$currentElement->parentNode->removeChild($currentElement);
$this->xmlIssues[] = array(
'message' => 'Suspicious tag \'' . $currentElement->tagName . '\'',
@@ -288,7 +288,7 @@ class Sanitizer
$this->cleanHrefs($currentElement);
- if (strtolower($currentElement->tagName) === 'use') {
+ if (strtolower($currentElement->localName) === 'use') {
if ($this->isUseTagDirty($currentElement)) {
$currentElement->parentNode->removeChild($currentElement);
$this->xmlIssues[] = array(
@@ -311,13 +311,14 @@ class Sanitizer
for ($x = $element->attributes->length - 1; $x >= 0; $x--) {
// get attribute name
$attrName = $element->attributes->item($x)->name;
+ $nodeName = $element->attributes->item($x)->nodeName;
// Remove attribute if not in whitelist
if (!in_array(strtolower($attrName), $this->allowedAttrs) && !$this->isAriaAttribute(strtolower($attrName)) && !$this->isDataAttribute(strtolower($attrName))) {
- $element->removeAttribute($attrName);
+ $element->removeAttribute($nodeName);
$this->xmlIssues[] = array(
- 'message' => 'Suspicious attribute \'' . $attrName . '\'',
+ 'message' => 'Suspicious attribute \'' . $nodeName . '\'',
'line' => $element->getLineNo(),
);
}
@@ -326,9 +327,9 @@ class Sanitizer
if($this->removeRemoteReferences) {
// Remove attribute if it has a remote reference
if (isset($element->attributes->item($x)->value) && $this->hasRemoteReference($element->attributes->item($x)->value)) {
- $element->removeAttribute($attrName);
+ $element->removeAttribute($nodeName);
$this->xmlIssues[] = array(
- 'message' => 'Suspicious attribute \'' . $attrName . '\'',
+ 'message' => 'Suspicious attribute \'' . $nodeName . '\'',
'line' => $element->getLineNo(),
);
}
diff --git a/lib/svg-sanitizer/src/data/AllowedAttributes.php b/lib/svg-sanitizer/src/data/AllowedAttributes.php
index a0c978836a8025a004eb28d25fe04a909794ad68..ddd2a6b7fd808a09106666c9065ba476d0bc5b6b 100644
--- a/lib/svg-sanitizer/src/data/AllowedAttributes.php
+++ b/lib/svg-sanitizer/src/data/AllowedAttributes.php
@@ -46,6 +46,7 @@ class AllowedAttributes implements AttributeInterface
'disabled',
'download',
'enctype',
+ 'encoding',
'face',
'for',
'headers',
@@ -269,6 +270,7 @@ class AllowedAttributes implements AttributeInterface
'values',
'viewbox',
'visibility',
+ 'version',
'vert-adv-y',
'vert-origin-x',
'vert-origin-y',
@@ -349,6 +351,11 @@ class AllowedAttributes implements AttributeInterface
'xlink:title',
'xml:space',
'xmlns:xlink',
+
+ // RDF
+ 'about',
+ 'resource',
+
);
}
}
diff --git a/lib/svg-sanitizer/src/data/AllowedTags.php b/lib/svg-sanitizer/src/data/AllowedTags.php
index 5b0f3ded4bcee302000c4cf876d0d366e0755343..c2793078114f6b55283ee03497b7dc9b91174019 100644
--- a/lib/svg-sanitizer/src/data/AllowedTags.php
+++ b/lib/svg-sanitizer/src/data/AllowedTags.php
@@ -239,7 +239,20 @@ class AllowedTags implements TagInterface
'munderover',
//text
- '#text'
+ '#text',
+
+ // metadata area
+ // RDF
+ 'rdf',
+ // creativecommons
+ 'permits',
+ 'license',
+ 'agent',
+ 'work',
+ // Dublin core
+ 'publisher',
+ 'type',
+ 'format',
);
}
}