search

darylldoyle / svg-sanitizer

A PHP SVG/XML Sanitizer
GNU General Public License v2.0
454 stars 67 forks source link

CDATA section is removed #70

Closed jkanape closed 2 years ago

jkanape commented 2 years ago

From version 15.0 CDATA nodes are removed.

Example document:

<svg>
<defs>
  <style type="text/css"><![CDATA[
        .fil0 {fill:#FF0000}
   ]]></style>
 </defs>
</svg>

Result from 15.0 (15.1, 15.2):

<svg>
    <defs>
      <style type="text/css"></style>
    </defs>
</svg>

Suspicious node '#cdata-section'

Result before 15.0 (14.1):

<svg>
  <defs>
    <style type="[text/css]()"><![CDATA[
        .fil0 {fill:#00994E}
   ]]></style>
  </defs>
</svg>

Can't find a way to add #cdata-section to safe nodes, as list is hardcoded

$safeNodes = [
    '#text',
];
zcorpan commented 2 years ago

As I commented in https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-fqx8-v33p-4qcc

So are CDATA sections always removed? That seems a bit overkill, replacing them with text nodes with the same data should be safe and not remove legitimate information.