Safe handling of SVG <use> href
Rolf-MP opened this issue · comments
See: #4224
And (merged to master): #5394
Thus DOMPurify has a SVG profile.
However, this profile filters out the <use>
tag as it is potentially unsafe when referencing external content.
Straightforward, but potentially unsafe, approach is to simply add use
to the allowed tags in options (once above merge is released).
In sandbox:
{
"sanitizeConfig": {
"useProfiles": {
"svg": true
},
"allowedTags": [
"use"
],
"addTags": [
"use"
]
}
}
This issue has a proposed workaround.
cure53/DOMPurify#574
With some minor enhancements to that hook it should be possible to provide a list of safe href "string starts" through formio options such that we can set which )exteral) references are allowed.