So, maybe it's possible to add a proper structured parsing and make the Sanitizer aware of the currently processed element and have a list of allowed attributes per element?
For now I patched it in the global list which allows the to attribute for all tags.
It seems that the Sanitizer checks/allows all attributes for every tag, no matter if the attribute will be used for this tag or not.
This is why the
toattribute is not allowed because it can be a security issue for certain tags.However, the
toattribute seems to be not problematic for the<animateTransform>tag, so it should be allowed in this context. https://github.com/darylldoyle/svg-sanitizer/issues/85#issuecomment-2175715127Using TYPO3, the approach described in the comment seems to be not possible (so I was told) because of: https://github.com/TYPO3/typo3/blob/f086b0dff39786f3f2825c7f3a7275f88726020a/typo3/sysext/core/Classes/Resource/Security/SvgSanitizer.php#L50-L52
So, maybe it's possible to add a proper structured parsing and make the Sanitizer aware of the currently processed element and have a list of allowed attributes per element?
For now I patched it in the global list which allows the
toattribute for all tags.