Is it possible to add 'animate' and 'set' to allowed Tags?

darylldoyle / svg-sanitizer

A PHP SVG/XML Sanitizer

GNU General Public License v2.0

454 stars 67 forks source link

Is it possible to add 'animate' and 'set' to allowed Tags? #103

Closed m-kappenberg closed 2 weeks ago

m-kappenberg commented 1 month ago

Hi there :-)

many thanks for all your work.

Is it possible to add 'animate' to the allowed tags in AllowedTags.php?

            'altglyphitem',
            'animate',   <--- Please add this
            'animatecolor',
            'animatemotion',

            'set',    <--- Please add this, too

https://developer.mozilla.org/en-US/docs/Web/SVG/Element/animate https://developer.mozilla.org/en-US/docs/Web/SVG/Element/set

Best regards Matthias Kappenberg

OliveLeb commented 4 weeks ago

You can use this to make it works i think

You may pass your own whitelist of tags and attributes by using the Sanitizer::setAllowedTags and Sanitizer::setAllowedAttrs methods respectively.

$sanitizer = new Sanitizer();
$sanitizer->setAllowedTags(
    new class implements TagInterface {
        public static function getTags(): array
        {
            return array_merge(
                AllowedTags::getTags(), // keep the tags already registered
                ['animate', 'set'] // add yours
            );
        }
    }
);

I used an anonymous class there but feel free to create your own class

m-kappenberg commented 3 weeks ago

Many thanks for providing this solution.

darylldoyle commented 2 weeks ago

Hi all 👋

The animate and set elements are excluded for security reasons. Please see the example below:

<svg xmlns="http://www.w3.org/2000/svg">
    <set attributeName="onmouseover" to="alert(1)"/>
    <animate attributeName="onunload" to="alert(1)"/>
</svg>

If you'd like to add this to your system, the approach shown by @OliveLeb will work, but I do want to point out that it opens up a hole in the sanitiser.

For this reason, I'm going to close this as a wontfix.