Commit graph

5 commits

Author SHA1 Message Date
Gabriel Mazetto
a9eaa20dcb Refactored SVG sanitizer 2016-06-12 21:05:58 -04:00
Gabriel Mazetto
13791c6704 Refactor SVG sanitizer and prevent xlink:href to refer to external resources 2016-06-12 21:05:58 -04:00
Gabriel Mazetto
02b882418a Fix SVG whitelisting to allow namespaced attributes 2016-06-12 21:05:57 -04:00
Stan Hu
e9ecbd3d4e Fix warning messages with SVG ALLOWED_ELEMENTS
Eliminates "warning: already initialized constant Gitlab::Sanitizers::SVG::ALLOWED_ELEMENTS"
2016-05-19 01:35:04 -05:00
Stan Hu
21d89d0286 Update SVG sanitizer to conform to SVG 1.1
Use a custom Loofah scrubber since sanitize 2.x transformers are inadequate
to handle case-sensitive SVG attributes. sanitize parses documents as HTML
instead of XML, which causes all SVG attribute names (e.g. viewBox) to be downcased.

* SVG element list: https://www.w3.org/TR/SVG/eltindex.html
* SVG attribute list: https://www.w3.org/TR/SVG/attindex.html

Closes #14555
2016-05-06 23:20:24 -07:00