Default whitelist is invalidated with recent improvement
kiziltas opened this issue · comments
I think with this change 12f3b33 the default whitelist is invalidated and now the only style that is allowed is "enable-background". The allowStyling()
method should have kept and extended with specific styles (because allowStyling() method unifies everything that's sent).
.allowStyling()
.allowStyling(CssSchema.withProperties(SVG_SPECIFIC_STYLES))
Bonus: It would be awesome if we could set a custom whitelist when composing SvgSecurityValidator
:)
Hi kiziltas!
I'll look at it ;) Of course, your'e welcom to create a PR :)
@kiziltas could you provide an svg file example? :)
@kiziltas You were right, version 1.1.1 is broken, I'm fixing the issue right away! I'll add some more tests to cover this case.
@kiziltas 1.1.2 released https://github.com/bgalek/safe-svg/releases/tag/1.1.2
Thanks! (and apologize I missed your early input requests)
no problem! :)