From 4f3d5560efb0a8f70e72b6ab2adc46bb255b7753 Mon Sep 17 00:00:00 2001
From: "cedric@yterium.com" <>
Date: Wed, 24 Jul 2019 13:21:13 +0000
Subject: [PATCH] Update librairie SVG sanitizer en incluant
https://github.com/darylldoyle/svg-sanitizer/pull/28
---
lib/svg-sanitizer/src/Sanitizer.php | 13 +++++++------
lib/svg-sanitizer/src/data/AllowedAttributes.php | 7 +++++++
lib/svg-sanitizer/src/data/AllowedTags.php | 15 ++++++++++++++-
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/lib/svg-sanitizer/src/Sanitizer.php b/lib/svg-sanitizer/src/Sanitizer.php
index b6219879..266ea9d8 100644
--- a/lib/svg-sanitizer/src/Sanitizer.php
+++ b/lib/svg-sanitizer/src/Sanitizer.php
@@ -273,7 +273,7 @@ class Sanitizer
$currentElement = $elements->item($i);
// If the tag isn't in the whitelist, remove it and continue with next iteration
- if (!in_array(strtolower($currentElement->tagName), $this->allowedTags)) {
+ if (!in_array(strtolower($currentElement->localName), $this->allowedTags)) {
$currentElement->parentNode->removeChild($currentElement);
$this->xmlIssues[] = array(
'message' => 'Suspicious tag \'' . $currentElement->tagName . '\'',
@@ -288,7 +288,7 @@ class Sanitizer
$this->cleanHrefs($currentElement);
- if (strtolower($currentElement->tagName) === 'use') {
+ if (strtolower($currentElement->localName) === 'use') {
if ($this->isUseTagDirty($currentElement)) {
$currentElement->parentNode->removeChild($currentElement);
$this->xmlIssues[] = array(
@@ -311,13 +311,14 @@ class Sanitizer
for ($x = $element->attributes->length - 1; $x >= 0; $x--) {
// get attribute name
$attrName = $element->attributes->item($x)->name;
+ $nodeName = $element->attributes->item($x)->nodeName;
// Remove attribute if not in whitelist
if (!in_array(strtolower($attrName), $this->allowedAttrs) && !$this->isAriaAttribute(strtolower($attrName)) && !$this->isDataAttribute(strtolower($attrName))) {
- $element->removeAttribute($attrName);
+ $element->removeAttribute($nodeName);
$this->xmlIssues[] = array(
- 'message' => 'Suspicious attribute \'' . $attrName . '\'',
+ 'message' => 'Suspicious attribute \'' . $nodeName . '\'',
'line' => $element->getLineNo(),
);
}
@@ -326,9 +327,9 @@ class Sanitizer
if($this->removeRemoteReferences) {
// Remove attribute if it has a remote reference
if (isset($element->attributes->item($x)->value) && $this->hasRemoteReference($element->attributes->item($x)->value)) {
- $element->removeAttribute($attrName);
+ $element->removeAttribute($nodeName);
$this->xmlIssues[] = array(
- 'message' => 'Suspicious attribute \'' . $attrName . '\'',
+ 'message' => 'Suspicious attribute \'' . $nodeName . '\'',
'line' => $element->getLineNo(),
);
}
diff --git a/lib/svg-sanitizer/src/data/AllowedAttributes.php b/lib/svg-sanitizer/src/data/AllowedAttributes.php
index a0c97883..ddd2a6b7 100644
--- a/lib/svg-sanitizer/src/data/AllowedAttributes.php
+++ b/lib/svg-sanitizer/src/data/AllowedAttributes.php
@@ -46,6 +46,7 @@ class AllowedAttributes implements AttributeInterface
'disabled',
'download',
'enctype',
+ 'encoding',
'face',
'for',
'headers',
@@ -269,6 +270,7 @@ class AllowedAttributes implements AttributeInterface
'values',
'viewbox',
'visibility',
+ 'version',
'vert-adv-y',
'vert-origin-x',
'vert-origin-y',
@@ -349,6 +351,11 @@ class AllowedAttributes implements AttributeInterface
'xlink:title',
'xml:space',
'xmlns:xlink',
+
+ // RDF
+ 'about',
+ 'resource',
+
);
}
}
diff --git a/lib/svg-sanitizer/src/data/AllowedTags.php b/lib/svg-sanitizer/src/data/AllowedTags.php
index 5b0f3ded..c2793078 100644
--- a/lib/svg-sanitizer/src/data/AllowedTags.php
+++ b/lib/svg-sanitizer/src/data/AllowedTags.php
@@ -239,7 +239,20 @@ class AllowedTags implements TagInterface
'munderover',
//text
- '#text'
+ '#text',
+
+ // metadata area
+ // RDF
+ 'rdf',
+ // creativecommons
+ 'permits',
+ 'license',
+ 'agent',
+ 'work',
+ // Dublin core
+ 'publisher',
+ 'type',
+ 'format',
);
}
}
--
GitLab