Multiple issues preventing removal of external references

darylldoyle / svg-sanitizer

A PHP SVG/XML Sanitizer

GNU General Public License v2.0

456 stars 68 forks source link

Multiple issues preventing removal of external references #50

Open aimeos opened 3 years ago

aimeos commented 3 years ago

If removeRemoteReferences(true) is used, the current code fails to remove attributes with namespaces (e.g. "xlink:href"), "http" and "ftps" URLs and all URLs not wrapped in url('...').

aimeos commented 3 years ago

@darylldoyle Can you have a look at the PR because without, Server-Side Request Forgery is possible

ohader commented 2 years ago

Seems to be reasonable. I'll add some more test-cases covering the new behavior during the next few day - in case somebody else is faster, please don't hesitate... 😉

darylldoyle commented 2 years ago

Is it possible to get some test cases added for this please?