SVG sanitizer doesn't handle namespaced attributes correctly

We have a helper to render inline SVGs for preview in the Files view. As SVG can contain malicious attributes that can be exploited, we have to whitelist the safe ones.

The whitelist contains prefixed attributes like xlink:href, but the code that does the comparison retrieves the attribute name as just href See the example on how the attribute object behaves:

[#(Attr:0x3ffa6db08b08 { name = "href", namespace = #(Namespace:0x3ffa6dae8a9c { prefix = "xlink", href = "http://www.w3.org/1999/xlink" }), value = "#circulo_2_" }),
 #(Attr:0x3ffa6db08a54 { name = "overflow", value = "visible" })]

Fixing the logic will make our SVG preview a lot better for complex SVG files.

There is a catch enabling xlink:href, it can be used to reference external files, for more details see: https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/xlink:href

Referencing external files is not something we should allow, so this must be "blacklisted".

Admin message

Admin message

SVG sanitizer doesn't handle namespaced attributes correctly