Closed angrybrad closed 4 years ago
Hi @angrybrad,
Sorry for the delay in getting back to you. From what I can see, the issue comes from lines 70-71
:
<g id="path-4">
<use fill="url(#radialGradient-3)" fill-rule="evenodd" xlink:href="#path-4"></use>
As you can see, the xlink:href
attribute on the <use>
element actually points to the item that is its parent. This is then picked up as recursion and not allowed due to the way we're parsing <use>
elements to protect against denial of service attacks by using recursive <use>
's.
If this xlink:href
is removed, then the sanitiser allows the SVG through.
I'm hoping that helps a bit?
Makes sense and thanks for the follow-up. Will go ahead and close this.
Happens when trying to sanitize the attached image.
icon.svg.zip
The SVG validates as valid XML, but I'm not smart enough to know if it's poorly done SVG or a bug in SVG sanitization.
Looks like this commit is where the behavior changed as it worked fine before it: https://github.com/darylldoyle/svg-sanitizer/commit/504da8296eb5c2e01250190da286294fd26dd0cc