darylldoyle
commented
4 years ago Hi @angrybrad,
Sorry for the delay in getting back to you. From what I can see, the issue comes from lines 70-71:
<g id="path-4">
<use fill="url(#radialGradient-3)" fill-rule="evenodd" xlink:href="#path-4"></use>As you can see, the xlink:href attribute on the <use> element actually points to the item that is its parent. This is then picked up as recursion and not allowed due to the way we're parsing <use> elements to protect against denial of service attacks by using recursive <use>'s.
If this xlink:href is removed, then the sanitiser allows the SVG through.
I'm hoping that helps a bit?
angrybrad
Happens when trying to sanitize the attached image.
icon.svg.zip
The SVG validates as valid XML, but I'm not smart enough to know if it's poorly done SVG or a bug in SVG sanitization.
Looks like this commit is where the behavior changed as it worked fine before it: https://github.com/darylldoyle/svg-sanitizer/commit/504da8296eb5c2e01250190da286294fd26dd0cc