Safelist to allow image elements in href attributes for SVGs #49
Comments
|
As far as I understood, it's not about the attribute name (like I've been working on a DOM-base sanitizer for HTML, recently - it seems some concepts could be reused here as well to introduce custom $hrefAttr = (new Behavior\Attr('href'))
->addValues(new Behavior\RegExpAttrValue('#^https?://#'));... would allow to declare an expected prefix, e.g. $hrefAttr = (new Behavior\Attr('href'))
->addValues(new Behavior\ ClosureAttrValue(function (string $value): bool) {
// custom logic, decoding base64 string, check mime-type
return true; // in case everything is fine - otherwise reject with `false`
});... would allow to declare individual handling and delegate to some other service implementation Just wanted to share my ideas on that topic... 😉 |
|
Interesting, so I guess you're looking for a way to filter the I think that could be a good addition, my concern was always that people could allow things without having context on why they're not allowed by default. I'll have a look into this. @ohader I'd love to hear more about that, do you have that code anywhere that I can look into? |
|
I'm a bit confused -- when I use the project author's online demo at https://svg.enshrined.co.uk/ , your code comes through fine. What am I missing? |
Since I don't think this is currently possible, it would be nice to be able to be able to use
setAllowedAttrs()to detect a starting pattern inside ahrefattribute likedata:image/*.e.g. This gets false positive flagged:
The text was updated successfully, but these errors were encountered: