Safe handling of SVG <use> href

Question

Safe handling of SVG <use> href

Rolf-MP opened this issue 8 months ago · comments

See: #4224
And (merged to master): #5394

Thus DOMPurify has a SVG profile.

However, this profile filters out the <use> tag as it is potentially unsafe when referencing external content.
Straightforward, but potentially unsafe, approach is to simply add use to the allowed tags in options (once above merge is released).

In sandbox:

{
  "sanitizeConfig": {
    "useProfiles": {
      "svg": true
    },
    "allowedTags": [
      "use"
    ],
    "addTags": [
      "use"
    ]
  }
}

This issue has a proposed workaround.
cure53/DOMPurify#574

With some minor enhancements to that hook it should be possible to provide a list of safe href "string starts" through formio options such that we can set which )exteral) references are allowed.