Closed alex40724 closed 4 years ago
Hi @alex40724,
I understand that this is an issue with entities, but unfortunately removing the doctype is the only surefire way to protect against a lot of XML attacks, including XML entity expansion attacks and therefore I have no resolution for this issue.
I'm sorry that's not much help to you, but it's the only way I can see to do this.
Hi @darylldoyle,
thanks for the answer.
I wonder why this is not an issue for others. Adobe products are widely used and embedding svg in HTML pages should be a common use case, too.
There should be ways to remove the DOCTYPE and keep the file valid by resolving the entities / replacing the references in the attributes.
Currently I do not have the time to provide a PR for this, maybe later...
Same issue in a large corporate website, causing serious problems. Killing all dogs helps against rabid dogs ... But what about the sled dogs?
Hi,
not sure if I am doing anything wrong here. The sanitizer removes the DOCTYPE which breaks entities being used, e.g. in this adobe export file. After sanitizing this the file and opening directly in a browser, it produce errors like "Entity 'ns_extend' not defined".
before
after