search

formio / formio.js

JavaScript powered Forms with JSON Form Builder
https://formio.github.io/formio.js
MIT License
1.89k stars 1.06k forks source link

Safe handling of SVG <use> href #5399

Open Rolf-MP opened 12 months ago

Rolf-MP commented 12 months ago

See: https://github.com/formio/formio.js/issues/4224 And (merged to master): https://github.com/formio/formio.js/pull/5394

Thus DOMPurify has a SVG profile.

However, this profile filters out the <use> tag as it is potentially unsafe when referencing external content. Straightforward, but potentially unsafe, approach is to simply add use to the allowed tags in options (once above merge is released).

In sandbox:

{
  "sanitizeConfig": {
    "useProfiles": {
      "svg": true
    },
     "addTags": [
      "use"
    ]
  }
}

This issue has a proposed workaround. https://github.com/cure53/DOMPurify/issues/574

With some minor enhancements to that hook it should be possible to provide a list of safe href "string starts" through formio options such that we can set which )exteral) references are allowed.

lane-formio commented 1 month ago

Is there a particular ask here? Trying to discern if there is anything potentially actionable.