deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make the SVG-Edit sanitizeSVG() Namespace-Aware

Browse source
This commit is contained in:
Jacques Distler 2010-02-15 13:53:07 -06:00
parent 10c0e709f6
commit d6e749cf6a
1 changed files with 30 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
public/svg-edit/editor/svgcanvas.js
View file

@ -155,7 +155,6 @@ var isOpera = !!window.opera,
"semantics": [] "semantics": []
}, },
// console.log('Start profiling') // console.log('Start profiling')
// setTimeout(function() { // setTimeout(function() {
// canvas.addToSelection(canvas.getVisibleElements()); // canvas.addToSelection(canvas.getVisibleElements());
@ -947,7 +946,28 @@ function BatchCommand(text) {
nsMap[se_ns] = 'se'; nsMap[se_ns] = 'se';
nsMap[htmlns] = 'xhtml'; nsMap[htmlns] = 'xhtml';
nsMap[mathns] = 'mathml'; nsMap[mathns] = 'mathml';
var nsRevMap = {};
$.each(nsMap, function(key,value){
nsRevMap[value] = key;
});
// Produce a Namespace-aware version of svgWhitelist
var svgWhiteListNS = {};
$.each(svgWhiteList, function(elt,atts){
attNS = {};
$.each(atts, function(i, att){
if (att.indexOf(':') != -1) {
v=att.split(':');
attNS[v[1]] = nsRevMap[v[0]];
} else {
attNS[att] = att == 'xmlns' ? xmlnsns : null;
}
});
svgWhiteListNS[elt] = attNS;
});
var svgcontent = svgdoc.createElementNS(svgns, "svg"); var svgcontent = svgdoc.createElementNS(svgns, "svg");
$(svgcontent).attr({ $(svgcontent).attr({
id: 'svgcontent', id: 'svgcontent',
@ -1297,6 +1317,7 @@ function BatchCommand(text) {
if (!doc || !parent) return; if (!doc || !parent) return;
var allowedAttrs = svgWhiteList[node.nodeName]; var allowedAttrs = svgWhiteList[node.nodeName];
var allowedAttrsNS = svgWhiteListNS[node.nodeName];
// if this element is allowed // if this element is allowed
if (allowedAttrs != undefined) { if (allowedAttrs != undefined) {
@ -1307,12 +1328,13 @@ function BatchCommand(text) {
// if the attribute is not in our whitelist, then remove it // if the attribute is not in our whitelist, then remove it
// could use jQuery's inArray(), but I don't know if that's any better // could use jQuery's inArray(), but I don't know if that's any better
var attr = node.attributes.item(i); var attr = node.attributes.item(i);
// TODO: use localName here and grab the namespace URI. Then, make sure that
// anything in our whitelist with a prefix is parsed out properly.
// i.e. "xlink:href" in our whitelist would mean we check that localName matches
// "href" and that namespaceURI matches the XLINK namespace
var attrName = attr.nodeName; var attrName = attr.nodeName;
if (allowedAttrs.indexOf(attrName) == -1) { var attrLocalName = attr.localName;
var attrNsURI = attr.namespaceURI;
//Check that an attribute with the correct localName in the correct namespace is on our whitelist
// or is a namespace declaration for one of our allowed namespaces
if (!(allowedAttrsNS.hasOwnProperty(attrLocalName) && attrNsURI == allowedAttrsNS[attrLocalName] && attrNsURI != xmlnsns) &&
!(attrNsURI == xmlnsns && nsMap[attr.nodeValue]) ) {
// Bypassing the whitelist to allow se: prefixes. Is there // Bypassing the whitelist to allow se: prefixes. Is there
// a more appropriate way to do this? // a more appropriate way to do this?
if(attrName.indexOf('se:') == 0) { if(attrName.indexOf('se:') == 0) {
@ -7755,7 +7777,7 @@ function BatchCommand(text) {
// Function: getVersion // Function: getVersion
// Returns a string which describes the revision number of SvgCanvas. // Returns a string which describes the revision number of SvgCanvas.
this.getVersion = function() { this.getVersion = function() {
return "svgcanvas.js ($Rev: 1390 $)"; return "svgcanvas.js ($Rev: 1391 $)";
}; };
this.setUiStrings = function(strs) { this.setUiStrings = function(strs) {