Closed m-kappenberg closed 2 weeks ago
You can use this to make it works i think
You may pass your own whitelist of tags and attributes by using the Sanitizer::setAllowedTags and Sanitizer::setAllowedAttrs methods respectively.
$sanitizer = new Sanitizer();
$sanitizer->setAllowedTags(
new class implements TagInterface {
public static function getTags(): array
{
return array_merge(
AllowedTags::getTags(), // keep the tags already registered
['animate', 'set'] // add yours
);
}
}
);
I used an anonymous class there but feel free to create your own class
Many thanks for providing this solution.
Hi all 👋
The animate
and set
elements are excluded for security reasons. Please see the example below:
<svg xmlns="http://www.w3.org/2000/svg">
<set attributeName="onmouseover" to="alert(1)"/>
<animate attributeName="onunload" to="alert(1)"/>
</svg>
If you'd like to add this to your system, the approach shown by @OliveLeb will work, but I do want to point out that it opens up a hole in the sanitiser.
For this reason, I'm going to close this as a wontfix.
Hi there :-)
many thanks for all your work.
Is it possible to add 'animate' to the allowed tags in AllowedTags.php?
https://developer.mozilla.org/en-US/docs/Web/SVG/Element/animate https://developer.mozilla.org/en-US/docs/Web/SVG/Element/set
Best regards Matthias Kappenberg