Valid attributes for animations are removed

Question

Valid attributes for animations are removed

BluechipZellAmSee opened this issue 2 years ago · comments

BlueChip Software GmbH commented 2 years ago

SVGs with animateTransform elements which contains from and to attribute don't work after sanitizing, because from and to are removed. See attached file.

Bird Kiwi · Answer 1 · Mon Feb 27 2023 18:41:13 GMT+0800 (China Standard Time)

calcMode is also absent, any reason why?

medarob · Answer 2 · Tue Jun 18 2024 16:31:05 GMT+0800 (China Standard Time)

calcMode is also absent, any reason why?

@birdkiwi Can you please add another issue for this problem so that a separate PR could be created? I added a PR for the mentioned issue from the original poster.

Daryll Doyle · Answer 3 · Tue Jun 18 2024 18:06:34 GMT+0800 (China Standard Time)

Hi all 👋

The issue with to as an attribute is that it can be used within other elements to change values. This makes it vulnerable, which is why it was removed initially.

For example, the below:

<svg xmlns="http://www.w3.org/2000/svg">
    <set attributeName="onmouseover" to="alert(1)"/>
    <animate attributeName="onunload" to="alert(1)"/>
</svg>

No whilst this might not be the case with the animateTransform, the way this sanitiser is set up, with a global list of allowed attributes, means we can't allow it for just one.

If you want this to be added within your system, I suggest extending the AllowedAttributes::class and including it there.

For now, I'm going to close this as a wontfix.