search

darylldoyle / svg-sanitizer

A PHP SVG/XML Sanitizer
GNU General Public License v2.0
465 stars 68 forks source link

Safelist to allow image elements in href attributes for SVGs #49

Open rebeccahum opened 3 years ago

rebeccahum commented 3 years ago

Since I don't think this is currently possible, it would be nice to be able to be able to use setAllowedAttrs() to detect a starting pattern inside a href attribute like data:image/*.

e.g. This gets false positive flagged:

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 735 70" width="735" height="70">
    <defs>
        <image width="735" height="70" id="img1" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUrPcSqAAAAABJRU5ErkJggg=="/>
    </defs>
</svg>
ohader commented 3 years ago

As far as I understood, it's not about the attribute name (like href), but about declaring allowed values or value patterns?

I've been working on a DOM-base sanitizer for HTML, recently - it seems some concepts could be reused here as well to introduce custom Behavior. Please have a look to the example at https://github.com/typo3/html-sanitizer#example--api

$hrefAttr = (new Behavior\Attr('href'))
    ->addValues(new Behavior\RegExpAttrValue('#^https?://#'));

... would allow to declare an expected prefix, e.g. https:// or data:image/.+

$hrefAttr = (new Behavior\Attr('href'))
    ->addValues(new Behavior\ ClosureAttrValue(function (string $value): bool) {
        // custom logic, decoding base64 string, check mime-type
        return true; // in case everything is fine - otherwise reject with `false`
    });

... would allow to declare individual handling and delegate to some other service implementation

Just wanted to share my ideas on that topic... 😉

darylldoyle commented 2 years ago

Interesting, so I guess you're looking for a way to filter the isHrefSafeValue() method?

I think that could be a good addition, my concern was always that people could allow things without having context on why they're not allowed by default. I'll have a look into this.

@ohader I'd love to hear more about that, do you have that code anywhere that I can look into?

benjiwheeler commented 2 years ago

I'm a bit confused -- when I use the project author's online demo at https://svg.enshrined.co.uk/ , your code comes through fine. What am I missing?