Update librairie SVG sanitizer en incluant https://github.com/darylldoyle/svg-sanitizer/pull/28

lib/svg-sanitizer/src/Sanitizer.php

@@ -273,7 +273,7 @@ class Sanitizer
             $currentElement = $elements->item($i);
 
             // If the tag isn't in the whitelist, remove it and continue with next iteration
-            if (!in_array(strtolower($currentElement->tagName), $this->allowedTags)) {
+            if (!in_array(strtolower($currentElement->localName), $this->allowedTags)) {
                 $currentElement->parentNode->removeChild($currentElement);
                 $this->xmlIssues[] = array(
                     'message' => 'Suspicious tag \'' . $currentElement->tagName . '\'',
@@ -288,7 +288,7 @@ class Sanitizer
 
             $this->cleanHrefs($currentElement);
 
-            if (strtolower($currentElement->tagName) === 'use') {
+            if (strtolower($currentElement->localName) === 'use') {
                 if ($this->isUseTagDirty($currentElement)) {
                     $currentElement->parentNode->removeChild($currentElement);
                     $this->xmlIssues[] = array(
@@ -311,13 +311,14 @@ class Sanitizer
         for ($x = $element->attributes->length - 1; $x >= 0; $x--) {
             // get attribute name
             $attrName = $element->attributes->item($x)->name;
+            $nodeName = $element->attributes->item($x)->nodeName;
 
             // Remove attribute if not in whitelist
             if (!in_array(strtolower($attrName), $this->allowedAttrs) && !$this->isAriaAttribute(strtolower($attrName)) && !$this->isDataAttribute(strtolower($attrName))) {
 
-                $element->removeAttribute($attrName);
+                $element->removeAttribute($nodeName);
                 $this->xmlIssues[] = array(
-                    'message' => 'Suspicious attribute \'' . $attrName . '\'',
+                    'message' => 'Suspicious attribute \'' . $nodeName . '\'',
                     'line' => $element->getLineNo(),
 		);
             }
@@ -326,9 +327,9 @@ class Sanitizer
             if($this->removeRemoteReferences) {
                 // Remove attribute if it has a remote reference
                 if (isset($element->attributes->item($x)->value) && $this->hasRemoteReference($element->attributes->item($x)->value)) {
-                    $element->removeAttribute($attrName);
+                    $element->removeAttribute($nodeName);
                     $this->xmlIssues[] = array(
-                        'message' => 'Suspicious attribute \'' . $attrName . '\'',
+                        'message' => 'Suspicious attribute \'' . $nodeName . '\'',
                         'line' => $element->getLineNo(),
 		    );
                 }

lib/svg-sanitizer/src/data/AllowedAttributes.php

@@ -46,6 +46,7 @@ class AllowedAttributes implements AttributeInterface
             'disabled',
             'download',
             'enctype',
+            'encoding',
             'face',
             'for',
             'headers',
@@ -269,6 +270,7 @@ class AllowedAttributes implements AttributeInterface
             'values',
             'viewbox',
             'visibility',
+            'version',
             'vert-adv-y',
             'vert-origin-x',
             'vert-origin-y',
@@ -349,6 +351,11 @@ class AllowedAttributes implements AttributeInterface
             'xlink:title',
             'xml:space',
             'xmlns:xlink',
+
+            // RDF
+            'about',
+            'resource',
+
         );
     }
 }

lib/svg-sanitizer/src/data/AllowedTags.php

@@ -239,7 +239,20 @@ class AllowedTags implements TagInterface
             'munderover',
 
             //text
-            '#text'
+            '#text',
+
+            // metadata area
+            // RDF
+            'rdf',
+            // creativecommons
+            'permits',
+            'license',
+            'agent',
+            'work',
+            // Dublin core
+            'publisher',
+            'type',
+            'format',
         );
     }
 }