From 5be8246a207af616bcc96a846dbba90c43cce99b Mon Sep 17 00:00:00 2001 From: Mark MacKay Date: Thu, 5 Aug 2021 20:01:03 -0500 Subject: [PATCH] properly sanitizing style attrs --- src/js/Import.js | 1 - src/js/sanitize.js | 26 +++++++++++++------------- src/js/svgcanvas.js | 15 ++++----------- 3 files changed, 17 insertions(+), 25 deletions(-) diff --git a/src/js/Import.js b/src/js/Import.js index 3e2f4fa..5655423 100644 --- a/src/js/Import.js +++ b/src/js/Import.js @@ -77,7 +77,6 @@ MD.Import = function(){ function loadSvgString(str, callback) { var success = svgCanvas.setSvgString(str) !== false; - callback = callback || $.noop; if(success) { callback(true); diff --git a/src/js/sanitize.js b/src/js/sanitize.js index ce6a159..3e5777a 100644 --- a/src/js/sanitize.js +++ b/src/js/sanitize.js @@ -144,12 +144,12 @@ svgedit.sanitize.sanitizeSvg = function(node) { // we only care about element nodes // automatically return for all comment, etc nodes // for text, we do a whitespace trim - if (node.nodeType == 3) { + if (node.nodeType === 3) { node.nodeValue = node.nodeValue.replace(/^\s+|\s+$/g, ""); // Remove empty text nodes if(!node.nodeValue.length) node.parentNode.removeChild(node); } - if (node.nodeType != 1) return; + if (node.nodeType !== 1) return; var doc = node.ownerDocument; var parent = node.parentNode; @@ -161,7 +161,6 @@ svgedit.sanitize.sanitizeSvg = function(node) { // if this element is allowed if (allowedAttrs != undefined) { - var se_attrs = []; var i = node.attributes.length; @@ -201,16 +200,17 @@ svgedit.sanitize.sanitizeSvg = function(node) { } // for the style attribute, rewrite it in terms of XML presentational attributes - if (attrName == "style") { - var props = attr.nodeValue.replace(' ', '').split(";"), - p = props.length; - while(p--) { - var nv = props[p].split(":"); - // now check that this attribute is supported - if (allowedAttrs.indexOf(nv[0]) >= 0) { - node.setAttribute(nv[0],nv[1]); - } - } + if (attrName === "style") { + const props = attr.nodeValue + .split(";") + .map(prop => prop.trim()) + .filter(Boolean) + .forEach(prop => { + var nv = prop.split(":"); + if (allowedAttrs.indexOf(nv[0]) >= 0) { + node.setAttribute(nv[0],nv[1]); + } + }) node.removeAttribute('style'); } } diff --git a/src/js/svgcanvas.js b/src/js/svgcanvas.js index 329bc67..12da7cd 100644 --- a/src/js/svgcanvas.js +++ b/src/js/svgcanvas.js @@ -5754,29 +5754,22 @@ this.styleToAttr = function(doc) { // Returns: // This function returns false if the set was unsuccessful, true otherwise. this.setSvgString = function(xmlString) { + console.log("opened") try { // convert string into XML document var newDoc = svgedit.utilities.text2xml(xmlString); - this.prepareSvg(newDoc); - var batchCmd = new BatchCommand("Change Source"); + this.prepareSvg(newDoc); newDoc = this.styleToAttr(newDoc); - // remove old svg document var nextSibling = svgcontent.nextSibling; var oldzoom = svgroot.removeChild(svgcontent); batchCmd.addSubCommand(new RemoveElementCommand(oldzoom, nextSibling, svgroot)); - // set new svg document - // If DOM3 adoptNode() available, use it. Otherwise fall back to DOM2 importNode() - if(svgdoc.adoptNode) { - svgcontent = svgdoc.adoptNode(newDoc.documentElement); - } - else { - svgcontent = svgdoc.importNode(newDoc.documentElement, true); - } + + svgcontent = svgdoc.adoptNode(newDoc.documentElement); svgroot.appendChild(svgcontent); var content = $(svgcontent);