darylldoyle
commented
5 years ago Hi @tomjn, I'm not aware of any issues that slip through currently and try to stay up to date on any bypasses found elsewhere. This library is probably still a little bit overly harsh on stripping elements and attributes but I'd rather be safe than sorry, especially with it being out in the wild.
There's a smoke test running at http://svg.enshrined.co.uk if you want to test the library and see if it fits your requirements.
If you wanted to be even more confident you could potentially pair it with https://github.com/cure53/DOMPurify and sanitise any user provided inline SVGs on the front end.
I'm investigating this library and associated plugins for my employer on behalf of some clients. I'm curious, are there any known SVG issues that this does not catch? I know that SVG's can never be made 100% safe, but I'm trying to ascertain the level of mitigation this library provides, and determine the language and certainty that can be provided to clients if it's integrated into our processes