Valid attributes for animations are removed

Question

Valid attributes for animations are removed

BluechipZellAmSee opened this issue 2 years ago · 3 comments

SVGs with animateTransform elements which contains from and to attribute don't work after sanitizing, because from and to are removed. See attached file.

Answer 1 · 2023-02-27T10:41:13.000Z

calcMode is also absent, any reason why?

Answer 2 · 2024-06-18T08:31:05.000Z

calcMode is also absent, any reason why?

@birdkiwi Can you please add another issue for this problem so that a separate PR could be created? I added a PR for the mentioned issue from the original poster.

Answer 3 · 2024-06-18T10:06:34.000Z

Hi all 👋

The issue with to as an attribute is that it can be used within other elements to change values. This makes it vulnerable, which is why it was removed initially.

For example, the below:

<svg xmlns="http://www.w3.org/2000/svg">
    <set attributeName="onmouseover" to="alert(1)"/>
    <animate attributeName="onunload" to="alert(1)"/>
</svg>

No whilst this might not be the case with the animateTransform, the way this sanitiser is set up, with a global list of allowed attributes, means we can't allow it for just one.

If you want this to be added within your system, I suggest extending the AllowedAttributes::class and including it there.

For now, I'm going to close this as a wontfix.