Comments (8)
Also, if the SVG strings are not inlined, that is, they're stored elsewhere before being "injected" into a page, then technically, those SV string should be escaped.
If you're interested, at one point I wrote a PoC for storing the SVG strings in a class, and that class also having an echoSVG() method that did the escaping. Off the top of my head, you could add a filter(s) that would allow people manipulate the SVG library, yet still ensure that any SVG they added would also be escaped.
That code is somewhere in bowels of my HD. I can dig it up if you're interested.
from suki.
Sure! That would be really helpful.
Yeah, I was thinking about the escaping too.
I just looked into Twenty Twenty theme's code, and they just did a normal escaping, like remove the newlines, white spaces, and tabs. Nothing specific about security risk.
from suki.
"Nothing specific about security risk."
I'm not so sure that's the case. What I did was done in the Summer of 2018 and I do remember searching to see what best practices were. That led me to - I think - to some repo on GitHub.
This looks to be dated AFTER I did mine. Let me dig around...
https://wordpress.stackexchange.com/questions/312625/escaping-svg-with-kses
from suki.
Using kses
to limit the attributes and inner tags is for security purpose :)
But I think we need more attributes to whitelist, like stroke
, etc.
But that's still a good reference to use.
from suki.
This is what I used
https://github.com/darylldoyle/svg-sanitizer
There might be something newer and better but as of mid-summer 2018 it was the best I could find but the need that I had.
I found the code but need to repo it. I'll do that soon and put the link here.
from suki.
That sanitizer is currently used on the popular Safe SVG plugin by the same developer.
Hmm, I am not sure if including this sanitizer built into the theme is worth it.
from suki.
I'm not sure you have a choice really. It's likely in a steady state so fork it and add your own namespace so there's no conflicts.
from suki.
My suki pro doesn't display .svg social icons at all:
Warning: ftp_fget() expects parameter 1 to be resource, null given
I should have put
define('FS_METHOD', 'direct');
to the config to make it work.
from suki.
Related Issues (20)
- Important > function suki_entry_meta() is NOT plugable HOT 2
- Warning in PHP 8 HOT 1
- Suki dashboard disable default elements HOT 2
- Breadcrumbs Woocommerce HOT 3
- Disabling hero section not working
- Blog posts not displayed on home page
- Inactive elements in header no shown
- Color Palette
- Button Default Color
- Padding of Content will not used by front end HOT 1
- Hide all Elements on static pages but the container will shown with padding
- UX/UI issue HOT 1
- Content not aligned correctly
- REM doesn't use base font size
- Show content header on Blog page option HOT 1
- Border option on main content and sidebar are not working, shadow option on sidebar is not working (only work if "inner shadow" option is ON) HOT 1
- Gap between widgets option is not working
- Featur request color gradient and background images
- Pages Canvas is only in px possible
- logo image size only in px
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from suki.