Open Bersman opened 2 years ago
Problem is: https://github.com/darylldoyle/svg-sanitizer/blob/master/src/Sanitizer.php#L369
Change:
$attrName = $element->attributes->item($x)->name
to
$attrName = $element->attributes->item($x)->nodeName;
it solves the problem, I'm unsure about the side effects...
Three problems:
xml:whitepace
in XML is xml:whitepace="default"
, not xml:whitepace="preserve"
. Currently the sanitizer assumes the reverse and adds xml:whitepace="preserve"
, which is never needed in any sanitized XVG. And this changes the behavior of parsers, adding lot of whitespace-only text elements visible to parsers.xml:whitepace="preserve"
in the input, the white spaces present in text element contents is correctly filtered out, and the output does not "need" to generate any newlines or indentation of elements, all is packed in one line. But if there are some other spurious elements (not used in SVG that has useful NO text element in its own schema, except if other non-SVG elements are present and included by using some namespace prefix), these indentation spaces and line breaks are kept (even if these elements have been sanitized and eliminated) even if they are "sane". You should drop them, or possibly indent elements meaningfully.<element [attributes...]/>
instead of <element [attributes...]></element>
which is unnecessarily verbose, especially when you've incorrectly assumed xml:whitepace="preserve"
which is only meaningful if there are text-elements (never used in valid SVG, but that may appear in the HTML5-embedded SVG that allows mixing non-SVG elements); using the correct default value of xml:whitespace="default"
, you expect to see possible text-elements, but valid SVG discards them if they are only whitespace, even in HTML5!<style>...</style>
element. But even there, xml:white-space="preserve"
is not needed. You may still output the CSS with all these whitespaces compressed, or with basic newlines at start and end and between selectors { [key:value];* [key:value] }
, and inside braces {}
at start and end and in the middle between key:value
pairs (pairs may be indented according the brace-level). Note also that the CSS in the text-content of <style>
elements and inside style="..."
attributes of any SVG elements must be sanitized too (they can contain scripts, and unsafe URIs with some dangerous URI schemes, or "bad" external sites if you accept "http:" or "https:").<style>
element or style="..."
attributes).So please use xml:whitepace="default"
as the default and cleanup the generated code! Indentation and line breaks in CSS text-element and of XML elements is optional and should be an option (a checkbox) but proper cleanup of white spaces in input should still be performed according to the xml:whitepace
value (which may change only explicitly inside each XML element).
Problem is: https://github.com/darylldoyle/svg-sanitizer/blob/master/src/Sanitizer.php#L369
Change:
$attrName = $element->attributes->item($x)->name
to
$attrName = $element->attributes->item($x)->nodeName;
it solves the problem, I'm unsure about the side effects...
Just fixed this locally, and then realized there may be an opened issue already...
Opened a pull-request, hoping this will be fixed, because currently, there is no way to determine whether the file was sanitized or not.
We have exported a SVG with Adobe and the sanitizer does not like that. It give the following errors: There are sanitization issues with this SVG file: Suspicious attribute 'space' in line 4 Suspicious attribute 'enable-background' in line 4
Generator is: Adobe Illustrator 19.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)
Issue #63 is for the enable-background. But the space attribute is something weird.
Relevant code of the SVG:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="Layer_1" version="1.1" x="0px" y="0px" width="600px" height="600px" viewBox="0 0 600 600" xml:space="preserve">
If you sanitize this the getXmlIssues() function wil return the error above: Suspicious attribute 'space' in line 4
Somehow the code strips xml: Did not found the problem/solution for this.