File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -255,8 +255,8 @@ function checkSvgContents($fileName)
255255 '/\b(\S:)?href\s*=\s*[" \']\s*javascript:/i ' ,
256256
257257 // No SVG event attributes allowed, since they execute scripts.
258- '/\bon\w+\s*=\s*[" \']/ ' ,
259- '/<(\S*:)?set\b[^>]*\battributeName\s*=\s*([" \'])\s*on\w+ \\1/i ' ,
258+ '/\bon\w+\s*=\s*[" \']/i ' ,
259+ '/<(\S*:)?( set|animate(Motion|Transform)?) \b[^>]*\battributeName\s*=\s*([" \'])\s*( on\w+|(\S*:)?href) \\1/i ' ,
260260
261261 // No XML Events allowed, since they execute scripts.
262262 '~\bhttp://www\.w3\.org/2001/xml-events\b~i ' ,
@@ -272,7 +272,7 @@ function checkSvgContents($fileName)
272272 '/<!ENTITY\b/ ' ,
273273
274274 // Embedded external images can't have custom cross-origin rules.
275- '/<\b(\S*:)?image\b[^>]*\bcrossorigin\s*=/ ' ,
275+ '/<\b(\S*:)?image\b[^>]*\bcrossorigin\s*=/i ' ,
276276
277277 // No embedded PHP tags allowed.
278278 // Harmless if the SVG is just the src of an img element, but very bad
You can’t perform that action at this time.
0 commit comments