Closed BluechipZellAmSee closed 3 months ago
calcMode
is also absent, any reason why?
calcMode
is also absent, any reason why?
@birdkiwi Can you please add another issue for this problem so that a separate PR could be created? I added a PR for the mentioned issue from the original poster.
Hi all 👋
The issue with to
as an attribute is that it can be used within other elements to change values. This makes it vulnerable, which is why it was removed initially.
For example, the below:
<svg xmlns="http://www.w3.org/2000/svg">
<set attributeName="onmouseover" to="alert(1)"/>
<animate attributeName="onunload" to="alert(1)"/>
</svg>
No whilst this might not be the case with the animateTransform
, the way this sanitiser is set up, with a global list of allowed attributes, means we can't allow it for just one.
If you want this to be added within your system, I suggest extending the AllowedAttributes::class
and including it there.
For now, I'm going to close this as a wontfix.
SVGs with
animateTransform
elements which containsfrom
andto
attribute don't work after sanitizing, becausefrom
andto
are removed. See attached file.