When sanitizing an image like the example below, a href attribute pointing to a remote resource in an image element does not get removed, when $sanitizer->removeRemoteReferences(true); has been called before sanitizing:
I narrowed this down to the hasRemoteReference method of Sanitizer. (Link points to the 0.16.0 version, but the code in master branch is currently identical.) There is an early return in the method, introduced by PR #15, which seems to cause that potentially only attributes that are along the lines of fill="url('http://trackingsite.tld/image.png')" are removed, but the more straightforward references like the cat image from Wikimedia Commons in the example above are left alone.
I tried commenting out the middle part of the hasRemoteReference method, leaving only the first and last line active:
I haven't tested older versions of svg-sanitizer, but looking at the code history it seems like this roughly corresponds to the way the method originally worked.
To me removing hrefs that point to remote resources seems like the intended functionality when removeRemoteReferences is enabled, but it's also not how the code currently works. I'm not suggesting to just remove the code that removes url() references - handling them is clearly important too - but am not sure what would be the best change to hasRemoteReference as I don't understand why the early return was added.
When sanitizing an image like the example below, a href attribute pointing to a remote resource in an image element does not get removed, when
$sanitizer->removeRemoteReferences(true);has been called before sanitizing:I narrowed this down to the hasRemoteReference method of Sanitizer. (Link points to the 0.16.0 version, but the code in master branch is currently identical.) There is an early return in the method, introduced by PR #15, which seems to cause that potentially only attributes that are along the lines of
fill="url('http://trackingsite.tld/image.png')"are removed, but the more straightforward references like the cat image from Wikimedia Commons in the example above are left alone.I tried commenting out the middle part of the hasRemoteReference method, leaving only the first and last line active:
I haven't tested older versions of svg-sanitizer, but looking at the code history it seems like this roughly corresponds to the way the method originally worked.
To me removing hrefs that point to remote resources seems like the intended functionality when removeRemoteReferences is enabled, but it's also not how the code currently works. I'm not suggesting to just remove the code that removes url() references - handling them is clearly important too - but am not sure what would be the best change to hasRemoteReference as I don't understand why the early return was added.