darylldoyle
commented
6 years ago Hi @kent1D,
I agree, I'd love to find a way to allow <use> elements through the sanitiser.
It's not actually cleanXlinkHrefs() or cleanHrefs() that's stripping the element, this happens during startClean() specifically these lines:
// If the tag isn't in the whitelist, remove it and continue with next iteration
if (!in_array(strtolower($currentElement->tagName), $this->allowedTags)) {
$currentElement->parentNode->removeChild($currentElement);
continue;
}That said, if you'd like to allow the <use> element in the short term, you can use setAllowedTags() to pass through an updated list of tags that includes <use>. That paired with setting removeRemoteReferences() to true should give you the same result as that hook in DOMPurify.
To complete #10 the
<use...tag is often used with relative ids : https://developer.mozilla.org/fr/docs/Web/SVG/Element/useTo make stars for example where each part is a repetition of the main one.
There is a hook approach in DomPurifier that doesn't exists here : https://github.com/cure53/DOMPurify/issues/233#issuecomment-314384301
The cleaning should be done by cleaning
xlink:hrefandhref, which seems to be done also bycleanXlinkHrefs()andcleanHrefs()isn't it?