Closed kent1D closed 6 years ago
Hi @kent1D,
I agree, I'd love to find a way to allow <use>
elements through the sanitiser.
It's not actually cleanXlinkHrefs()
or cleanHrefs()
that's stripping the element, this happens during startClean()
specifically these lines:
// If the tag isn't in the whitelist, remove it and continue with next iteration
if (!in_array(strtolower($currentElement->tagName), $this->allowedTags)) {
$currentElement->parentNode->removeChild($currentElement);
continue;
}
That said, if you'd like to allow the <use>
element in the short term, you can use setAllowedTags()
to pass through an updated list of tags that includes <use>
. That paired with setting removeRemoteReferences()
to true
should give you the same result as that hook in DOMPurify.
To complete #10 the
<use...
tag is often used with relative ids : https://developer.mozilla.org/fr/docs/Web/SVG/Element/useTo make stars for example where each part is a repetition of the main one.
There is a hook approach in DomPurifier that doesn't exists here : https://github.com/cure53/DOMPurify/issues/233#issuecomment-314384301
The cleaning should be done by cleaning
xlink:href
andhref
, which seems to be done also bycleanXlinkHrefs()
andcleanHrefs()
isn't it?