properly sanitizing style attrs

master
Mark MacKay 2021-08-05 20:01:03 -05:00
parent 0b0829eebd
commit 5be8246a20
3 changed files with 17 additions and 25 deletions

View File

@ -77,7 +77,6 @@ MD.Import = function(){
function loadSvgString(str, callback) {
var success = svgCanvas.setSvgString(str) !== false;
callback = callback || $.noop;
if(success) {
callback(true);

View File

@ -144,12 +144,12 @@ svgedit.sanitize.sanitizeSvg = function(node) {
// we only care about element nodes
// automatically return for all comment, etc nodes
// for text, we do a whitespace trim
if (node.nodeType == 3) {
if (node.nodeType === 3) {
node.nodeValue = node.nodeValue.replace(/^\s+|\s+$/g, "");
// Remove empty text nodes
if(!node.nodeValue.length) node.parentNode.removeChild(node);
}
if (node.nodeType != 1) return;
if (node.nodeType !== 1) return;
var doc = node.ownerDocument;
var parent = node.parentNode;
@ -161,7 +161,6 @@ svgedit.sanitize.sanitizeSvg = function(node) {
// if this element is allowed
if (allowedAttrs != undefined) {
var se_attrs = [];
var i = node.attributes.length;
@ -201,16 +200,17 @@ svgedit.sanitize.sanitizeSvg = function(node) {
}
// for the style attribute, rewrite it in terms of XML presentational attributes
if (attrName == "style") {
var props = attr.nodeValue.replace(' ', '').split(";"),
p = props.length;
while(p--) {
var nv = props[p].split(":");
// now check that this attribute is supported
if (allowedAttrs.indexOf(nv[0]) >= 0) {
node.setAttribute(nv[0],nv[1]);
}
}
if (attrName === "style") {
const props = attr.nodeValue
.split(";")
.map(prop => prop.trim())
.filter(Boolean)
.forEach(prop => {
var nv = prop.split(":");
if (allowedAttrs.indexOf(nv[0]) >= 0) {
node.setAttribute(nv[0],nv[1]);
}
})
node.removeAttribute('style');
}
}

View File

@ -5754,29 +5754,22 @@ this.styleToAttr = function(doc) {
// Returns:
// This function returns false if the set was unsuccessful, true otherwise.
this.setSvgString = function(xmlString) {
console.log("opened")
try {
// convert string into XML document
var newDoc = svgedit.utilities.text2xml(xmlString);
this.prepareSvg(newDoc);
var batchCmd = new BatchCommand("Change Source");
this.prepareSvg(newDoc);
newDoc = this.styleToAttr(newDoc);
// remove old svg document
var nextSibling = svgcontent.nextSibling;
var oldzoom = svgroot.removeChild(svgcontent);
batchCmd.addSubCommand(new RemoveElementCommand(oldzoom, nextSibling, svgroot));
// set new svg document
// If DOM3 adoptNode() available, use it. Otherwise fall back to DOM2 importNode()
if(svgdoc.adoptNode) {
svgcontent = svgdoc.adoptNode(newDoc.documentElement);
}
else {
svgcontent = svgdoc.importNode(newDoc.documentElement, true);
}
svgcontent = svgdoc.adoptNode(newDoc.documentElement);
svgroot.appendChild(svgcontent);
var content = $(svgcontent);