search

darylldoyle / svg-sanitizer

A PHP SVG/XML Sanitizer
GNU General Public License v2.0
464 stars 68 forks source link

Valid attributes for animations are removed #85

Closed BluechipZellAmSee closed 3 months ago

BluechipZellAmSee commented 1 year ago

SVGs with animateTransform elements which contains from and to attribute don't work after sanitizing, because from and to are removed. See attached file. test

birdkiwi commented 1 year ago

calcMode is also absent, any reason why?

medarob commented 3 months ago

calcMode is also absent, any reason why?

@birdkiwi Can you please add another issue for this problem so that a separate PR could be created? I added a PR for the mentioned issue from the original poster.

darylldoyle commented 3 months ago

Hi all 👋

The issue with to as an attribute is that it can be used within other elements to change values. This makes it vulnerable, which is why it was removed initially.

For example, the below:

<svg xmlns="http://www.w3.org/2000/svg">
    <set attributeName="onmouseover" to="alert(1)"/>
    <animate attributeName="onunload" to="alert(1)"/>
</svg>

No whilst this might not be the case with the animateTransform, the way this sanitiser is set up, with a global list of allowed attributes, means we can't allow it for just one.

If you want this to be added within your system, I suggest extending the AllowedAttributes::class and including it there.

For now, I'm going to close this as a wontfix.