Make the SVG-Edit sanitizeSVG() Namespace-Aware
This commit is contained in:
parent
10c0e709f6
commit
d6e749cf6a
1 changed files with 30 additions and 8 deletions
|
@ -155,7 +155,6 @@ var isOpera = !!window.opera,
|
|||
"semantics": []
|
||||
},
|
||||
|
||||
|
||||
// console.log('Start profiling')
|
||||
// setTimeout(function() {
|
||||
// canvas.addToSelection(canvas.getVisibleElements());
|
||||
|
@ -947,7 +946,28 @@ function BatchCommand(text) {
|
|||
nsMap[se_ns] = 'se';
|
||||
nsMap[htmlns] = 'xhtml';
|
||||
nsMap[mathns] = 'mathml';
|
||||
|
||||
|
||||
var nsRevMap = {};
|
||||
$.each(nsMap, function(key,value){
|
||||
nsRevMap[value] = key;
|
||||
});
|
||||
|
||||
|
||||
// Produce a Namespace-aware version of svgWhitelist
|
||||
var svgWhiteListNS = {};
|
||||
$.each(svgWhiteList, function(elt,atts){
|
||||
attNS = {};
|
||||
$.each(atts, function(i, att){
|
||||
if (att.indexOf(':') != -1) {
|
||||
v=att.split(':');
|
||||
attNS[v[1]] = nsRevMap[v[0]];
|
||||
} else {
|
||||
attNS[att] = att == 'xmlns' ? xmlnsns : null;
|
||||
}
|
||||
});
|
||||
svgWhiteListNS[elt] = attNS;
|
||||
});
|
||||
|
||||
var svgcontent = svgdoc.createElementNS(svgns, "svg");
|
||||
$(svgcontent).attr({
|
||||
id: 'svgcontent',
|
||||
|
@ -1297,6 +1317,7 @@ function BatchCommand(text) {
|
|||
if (!doc || !parent) return;
|
||||
|
||||
var allowedAttrs = svgWhiteList[node.nodeName];
|
||||
var allowedAttrsNS = svgWhiteListNS[node.nodeName];
|
||||
|
||||
// if this element is allowed
|
||||
if (allowedAttrs != undefined) {
|
||||
|
@ -1307,12 +1328,13 @@ function BatchCommand(text) {
|
|||
// if the attribute is not in our whitelist, then remove it
|
||||
// could use jQuery's inArray(), but I don't know if that's any better
|
||||
var attr = node.attributes.item(i);
|
||||
// TODO: use localName here and grab the namespace URI. Then, make sure that
|
||||
// anything in our whitelist with a prefix is parsed out properly.
|
||||
// i.e. "xlink:href" in our whitelist would mean we check that localName matches
|
||||
// "href" and that namespaceURI matches the XLINK namespace
|
||||
var attrName = attr.nodeName;
|
||||
if (allowedAttrs.indexOf(attrName) == -1) {
|
||||
var attrLocalName = attr.localName;
|
||||
var attrNsURI = attr.namespaceURI;
|
||||
//Check that an attribute with the correct localName in the correct namespace is on our whitelist
|
||||
// or is a namespace declaration for one of our allowed namespaces
|
||||
if (!(allowedAttrsNS.hasOwnProperty(attrLocalName) && attrNsURI == allowedAttrsNS[attrLocalName] && attrNsURI != xmlnsns) &&
|
||||
!(attrNsURI == xmlnsns && nsMap[attr.nodeValue]) ) {
|
||||
// Bypassing the whitelist to allow se: prefixes. Is there
|
||||
// a more appropriate way to do this?
|
||||
if(attrName.indexOf('se:') == 0) {
|
||||
|
@ -7755,7 +7777,7 @@ function BatchCommand(text) {
|
|||
// Function: getVersion
|
||||
// Returns a string which describes the revision number of SvgCanvas.
|
||||
this.getVersion = function() {
|
||||
return "svgcanvas.js ($Rev: 1390 $)";
|
||||
return "svgcanvas.js ($Rev: 1391 $)";
|
||||
};
|
||||
|
||||
this.setUiStrings = function(strs) {
|
||||
|
|
Loading…
Add table
Reference in a new issue