Incorrect remove of `feFunc*` attr - Githubissues

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.67k stars 698 forks source link

Incorrect remove of `feFunc*` attr #984

Closed RichardLuo0 closed 3 weeks ago

RichardLuo0 commented 1 month ago

This issue proposes a bug which...

Background & Context

<!DOCTYPE xml>
<svg xmlns="http://www.w3.org/2000/svg">
  <defs>
    <filter>
      <feTurbulence result="noiseImage" type="fractalNoise" baseFrequency="0.6" numOctaves="2"
        seed="0"
        stitchTiles="stitch" />
      <feComponentTransfer result="noise" in="noiseImage">
        <feFuncA type="linear" slope="0.02" />
      </feComponentTransfer>
    </filter>
  </defs>
</svg>

After sanitize, the slope is removed. Not only slope, other attr that can be used on feFunc* will be removed.

Given output

<svg xmlns="http://www.w3.org/2000/svg">
  <defs>
    <filter>
      <feTurbulence stitchTiles="stitch" seed="0" numOctaves="2" baseFrequency="0.6" type="fractalNoise" result="noiseImage"></feTurbulence>
      <feComponentTransfer in="noiseImage" result="noise">
        <feFuncA type="linear"></feFuncA>
      </feComponentTransfer>
    </filter>
  </defs>
</svg>

Expected output

The slope is preserved

<!DOCTYPE xml>
<svg xmlns="http://www.w3.org/2000/svg">
  <defs>
    <filter>
      <feTurbulence result="noiseImage" type="fractalNoise" baseFrequency="0.6" numOctaves="2"
        seed="0"
        stitchTiles="stitch" />
      <feComponentTransfer result="noise" in="noiseImage">
        <feFuncA type="linear" slope="0.02" />
      </feComponentTransfer>
    </filter>
  </defs>
</svg>