Skip to content

Commit 3c98cab

Browse files
Merge commit from fork
[2.1] Rejects SVGs that use animate to set href attributes
2 parents 2a89e0b + 78aeff8 commit 3c98cab

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

Sources/Subs-Graphics.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -255,8 +255,8 @@ function checkSvgContents($fileName)
255255
'/\b(\S:)?href\s*=\s*["\']\s*javascript:/i',
256256

257257
// No SVG event attributes allowed, since they execute scripts.
258-
'/\bon\w+\s*=\s*["\']/',
259-
'/<(\S*:)?set\b[^>]*\battributeName\s*=\s*(["\'])\s*on\w+\\1/i',
258+
'/\bon\w+\s*=\s*["\']/i',
259+
'/<(\S*:)?(set|animate(Motion|Transform)?)\b[^>]*\battributeName\s*=\s*(["\'])\s*(on\w+|(\S*:)?href)\\1/i',
260260

261261
// No XML Events allowed, since they execute scripts.
262262
'~\bhttp://www\.w3\.org/2001/xml-events\b~i',
@@ -272,7 +272,7 @@ function checkSvgContents($fileName)
272272
'/<!ENTITY\b/',
273273

274274
// Embedded external images can't have custom cross-origin rules.
275-
'/<\b(\S*:)?image\b[^>]*\bcrossorigin\s*=/',
275+
'/<\b(\S*:)?image\b[^>]*\bcrossorigin\s*=/i',
276276

277277
// No embedded PHP tags allowed.
278278
// Harmless if the SVG is just the src of an img element, but very bad

0 commit comments

Comments
 (0)