Closed niklashultstrom closed 7 years ago
Hi @niklashultstrom,
The xlink:href
attribute is not removed in the sanitiser.
In your first example, you're using the use
element. This is stripped from the file, rather than the xlink:href
attribute. This is inline with the sanitisation of DOMPurify.
In your second example, again the xlink:href
attribute is not removed but the image
element you've supplied is invalid XML and therefore the sanitiser fails to parse it and instead returns false.
This can be fixed by either self closing the image
element, or supplying a closing tag.
<image overflow="visible" width="66" height="77" xlink:href="data:image/jpeg;base64,/9j/4AA...jbf8ADaP/2Q==" transform="matrix(0.48 0 0 0.48 521.2959 384.499)" />
<image overflow="visible" width="66" height="77" xlink:href="data:image/jpeg;base64,/9j/4AA...jbf8ADaP/2Q==" transform="matrix(0.48 0 0 0.48 521.2959 384.499)"></image>
To see this in action try passing through the following strings at http://svg.enshrined.co.uk/ and you will see the difference:
`
Hmmm, that would be nice to make the same as this : https://github.com/cure53/DOMPurify/issues/233
The usage of <use...
with relative content is frequent
Hello! Glad someone finally took on the SVG mess on WP :)
I ran in to this issue though, causing the SVG image not to display:
Before
After (upload)
Similair with the image element, though just removing the xlink:href attribute:
Before
After
Which makes me wonder if xlink:href should be removed when containing just an #id or an base64 data-image.