search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.67k stars 698 forks source link

Allow SVG transfer function attributes #987

Closed Gigabyte5671 closed 3 weeks ago

Gigabyte5671 commented 3 weeks ago

Summary

This PR adds the following SVG transfer function (<feFunc*>) attributes to the SVG allow list:

Afaik, these are all of the attributes that are available on SVG component transfer functions (offset is already on the allow list).

These attributes are used to control how colours are processed inside an <feComponentTransfer> element. All of these attributes only accept numeric values, so I don't believe they can be used to trigger scripts or other malicious behaviours. Please let me know if I'm wrong there.

Thanks again!

Background & Context

This should fix #984.

References

cure53 commented 3 weeks ago

That looks good, thank you very much :)