Skip to content

Drop unsafe SMIL attributeName values in SVG sanitization#911

Open
giuscris wants to merge 2 commits into
2.xfrom
sanitize-smil-attributename
Open

Drop unsafe SMIL attributeName values in SVG sanitization#911
giuscris wants to merge 2 commits into
2.xfrom
sanitize-smil-attributename

Conversation

@giuscris

Copy link
Copy Markdown
Member

This pull request refactors and strengthens the SVG and DOM sanitization logic, with a particular focus on improving the handling of SVG SMIL animation elements. The main changes involve extracting attribute sanitization into its own method, introducing special handling for SMIL attributeName attributes, and centralizing SMIL-related reference data.

Sanitization refactor and SMIL handling:

  • Extracted the logic for sanitizing individual DOM element attributes into a new protected method sanitizeNodeAttribute, improving code clarity and reusability. (formwork/src/Sanitizer/DomSanitizer.php, formwork/src/Sanitizer/DomSanitizer.phpL234-R257)
  • In SvgSanitizer, overridden sanitizeNodeAttribute to add special handling for SMIL animation elements: if an element is a SMIL animation type and its attributeName is not considered safe, the attribute is removed. (formwork/src/Sanitizer/SvgSanitizer.php, formwork/src/Sanitizer/SvgSanitizer.phpR50-R62)
  • Added a private helper method isSafeSmilAttributeName to determine if a SMIL attributeName is allowed (i.e., not a URI attribute and present in allowed attributes). (formwork/src/Sanitizer/SvgSanitizer.php, formwork/src/Sanitizer/SvgSanitizer.phpR101-R109)

Centralization of SMIL reference data:

@giuscris giuscris requested a review from Copilot June 27, 2026 08:41
@giuscris giuscris self-assigned this Jun 27, 2026
@giuscris giuscris added the enhancement New feature or request label Jun 27, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors DOM attribute sanitization to make it overridable per sanitizer, and tightens SVG SMIL handling by dropping unsafe attributeName values on SMIL animation elements to prevent URI-bearing attributes from being indirectly targeted.

Changes:

  • Extracted single-attribute sanitization into DomSanitizer::sanitizeNodeAttribute() and updated the attribute loop to call it.
  • Added SMIL-specific logic in SvgSanitizer to remove attributeName when it targets an unsafe attribute.
  • Centralized the SMIL element list in SvgReference::SMIL_ELEMENTS.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
formwork/src/Sanitizer/DomSanitizer.php Refactors per-attribute sanitization into an overridable method used by the attribute loop.
formwork/src/Sanitizer/SvgSanitizer.php Overrides attribute sanitization to drop unsafe SMIL attributeName values for animation elements.
formwork/src/Sanitizer/Reference/SvgReference.php Adds centralized SMIL_ELEMENTS reference list used by SvgSanitizer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +243 to +248
if (!in_array($domAttr->nodeName, $this->allowedAttributes, true)) {
$domElement->removeAttribute($domAttr->nodeName);
}

$scheme = Uri::scheme($uri);
if (in_array($domAttr->nodeName, $this->uriAttributes, true)) {
$uri = $this->sanitizeUri((string) $domAttr->nodeValue);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants