Update SVG sanitizer to conform to SVG 1.1 (!3401) · Merge requests · GitLab.org / GitLab FOSS

Stan Hu requested to merge stanhu/gitlab-ce:fix-sanitize-svg into master Mar 25, 2016

Original SVG sanitizer would strip out necessary elements and attributes.

Use a custom Loofah scrubber since sanitize 2.x transformers are inadequate to handle case-sensitive SVG attributes since they parse documents as HTML instead of XML, which causes all SVG attribute names (e.g. viewBox) to be downcased.

SVG element list: https://www.w3.org/TR/SVG/eltindex.html
SVG attribute list: https://www.w3.org/TR/SVG/attindex.html

Closes #14555 (closed)

Admin message

Admin message

Update SVG sanitizer to conform to SVG 1.1

Merge request reports