"Cannot add self usage" error

Question

"Cannot add self usage" error

Closed this issue 5 years ago · 2 comments

angrybrad commented 5 years ago

Happens when trying to sanitize the attached image.

icon.svg.zip

The SVG validates as valid XML, but I'm not smart enough to know if it's poorly done SVG or a bug in SVG sanitization.

Looks like this commit is where the behavior changed as it worked fine before it: 504da82

Answer 1 · 2019-12-09T09:04:03.000Z

Hi @angrybrad,

Sorry for the delay in getting back to you. From what I can see, the issue comes from lines 70-71:

<g id="path-4">
    <use fill="url(#radialGradient-3)" fill-rule="evenodd" xlink:href="#path-4"></use>

As you can see, the xlink:href attribute on the <use> element actually points to the item that is its parent. This is then picked up as recursion and not allowed due to the way we're parsing <use> elements to protect against denial of service attacks by using recursive <use>'s.

If this xlink:href is removed, then the sanitiser allows the SVG through.

I'm hoping that helps a bit?

Answer 2 · 2019-12-09T16:41:05.000Z

Makes sense and thanks for the follow-up. Will go ahead and close this.