HtmlSanitizer icon indicating copy to clipboard operation
HtmlSanitizer copied to clipboard

Published 20 hours ago verified publisher icon mganss

How to keep whole SVG tag

Open RaptorCZ opened this issue 3 years ago • 7 comments

I'm using SVG icons in application, but sanitizer removes it. Tried to allow svg tag, but it is not working. All svg nested tags are removed.

sanitizer.AllowedTags.Add("svg")

How to solve it?

SVG example:

<svg viewBox="0 0 136 200" xmlns="http://www.w3.org/2000/svg" class="dashboard-icon">
    <path d="M90.98 167.85c-.2.57-.44 1.16-.72 1.78-.28.62-.6 1.22-.96 1.78-.35.57-.76 1.09-1.22 1.57-.431.457-.93.845-1.48 1.15-.35.14-.66.26-.94.36-.28.1-.58.15-.89.15-.34 0-.58-.14-.72-.42-.14-.28-.22-.61-.25-.98-.02-.37-.01-.72.03-1.06.04-.34.08-.57.11-.68.13-.54.35-1.17.66-1.89.31-.72.68-1.4 1.12-2.04.44-.64.92-1.18 1.42-1.61.51-.44 1.04-.66 1.61-.66.71 0 1.31.18 1.82.55.5.37.65.96.45 1.78l-.04.22zm-6.39 9.94c.17 0 .33.01.48.02.15.01.3.02.44.02.51 0 1.05-.15 1.62-.45.57-.3 1.13-.66 1.69-1.08.56-.42 1.08-.88 1.57-1.36.49-.48.89-.91 1.21-1.28.63-.71 1.2-1.44 1.71-2.19s.89-1.57 1.14-2.44l.2-.81c.08-.31.14-.62.19-.91.05-.3.03-.59-.04-.87-.08-.34-.17-.69-.25-1.06-.08-.37-.24-.68-.49-.94-.29-.31-.62-.57-1-.76-.38-.2-.76-.38-1.16-.55-.4-.17-.79-.34-1.17-.51-.38-.17-.74-.38-1.07-.64-.21-.17-.45-.25-.7-.25-.62 0-1.28.2-1.97.59-.69.4-1.34.86-1.94 1.38-.6.52-1.12 1.06-1.57 1.61-.45.55-.75.98-.92 1.3-.35.74-.74 1.54-1.17 2.4-.43.86-.72 1.61-.87 2.23-.32 1.27-.33 2.35-.04 3.23.29.88.84 1.59 1.64 2.12.36.25.7.52 1.01.78.31.27.71.4 1.19.4h.27v.02zm-7.97-22.9c-.11.43-.21.86-.3 1.3-.09.44-.2.87-.3 1.3-.16.65-.28 1.15-.35 1.51-.07.35-.17.79-.3 1.29-.06.26-.18.56-.33.91-.16.35-.47.53-.92.53-.42.2-.79.34-1.13.42-.33.08-.65.16-.97.21-.31.06-.63.11-.96.17-.33.06-.69.16-1.09.3-.26.48-.43.88-.51 1.19.14.23.36.52.67.89.31.37.74.55 1.31.55.45 0 .87-.08 1.25-.26.38-.17.84-.3 1.37-.38.03.11.04.22.03.32-.01.1-.03.21-.06.32-.32 1.39-.63 2.77-.95 4.14-.31 1.37-.6 2.75-.86 4.14-.11.57-.21 1.19-.28 1.87-.07.68-.08 1.22-.04 1.61.13.4.32.73.58 1 .26.27.59.4.98.4.06 0 .23-.03.53-.09.33-.08.65-.24.97-.47.31-.23.53-.58.65-1.06.08-.34.12-.71.11-1.1-.01-.4-.01-.79 0-1.19.09-1.27.22-2.6.38-3.97s.4-2.7.71-3.97c.05-.2.1-.39.16-.57.06-.18.11-.36.15-.53.04-.17.08-.34.11-.51.03-.17.07-.35.12-.55.08-.34.27-.62.55-.85.28-.23.6-.41.94-.55.35-.14.71-.26 1.09-.36.38-.1.71-.2.99-.32.3-.09.61-.16.93-.23.32-.07.61-.16.9-.28.28-.11.54-.28.76-.49.22-.21.38-.5.47-.87.08-.31.08-.62.02-.93-.06-.31-.29-.47-.69-.47-.74 0-1.41.12-2.02.36-.61.24-1.29.36-2.02.36-.23 0-.34-.07-.33-.21.01-.14.03-.3.07-.47.09-.37.19-.72.29-1.06.1-.34.19-.66.26-.98.11-.45.23-.9.36-1.34.12-.44.24-.88.35-1.34.11-.43.2-.86.28-1.3.08-.44.2-.95.34-1.55.08-.31.13-.63.15-.96.02-.32-.01-.62-.1-.87a1.329 1.329 0 00-.52-.64c-.26-.17-.62-.26-1.11-.26-.23 0-.42.04-.58.11-.16.07-.37.16-.62.28-.18.4-.32.76-.4 1.1l-1.09 4.4zm-23.4 12.24l-.3 1.19c-.1.4-.23.79-.38 1.19-.42 1.7-.73 3.13-.92 4.29-.19 1.16-.24 2.11-.16 2.85.08.74.33 1.27.75 1.59.41.32 1.03.49 1.85.49.76 0 1.55-.28 2.35-.83.8-.55 1.55-1.2 2.25-1.95s1.33-1.52 1.91-2.32c.58-.79 1.04-1.43 1.39-1.91l.26-.34c-.08.68-.15 1.34-.19 1.98-.05.64-.01 1.22.1 1.74s.31.97.6 1.34c.29.37.73.62 1.32.76.21-.06.42-.1.63-.13.21-.03.4-.08.59-.15.19-.07.36-.18.53-.34.17-.15.31-.38.44-.66-.05-.25-.12-.47-.22-.66-.1-.18-.2-.38-.32-.57-.28-.6-.39-1.38-.33-2.36s.26-2.15.6-3.5c.17-.68.42-1.49.76-2.44.33-.95.71-2.26 1.13-3.93-.08-.23-.25-.45-.51-.68-.25-.23-.5-.34-.72-.34-.03 0-.06-.01-.08-.02-.03-.01-.05-.02-.08-.02-.71 0-1.24.1-1.58.3-.35.2-.6.45-.76.74-.16.3-.28.63-.35 1-.08.37-.22.74-.42 1.1-.5.88-1.12 1.88-1.86 3.02-.74 1.13-1.5 2.21-2.29 3.23s-1.55 1.89-2.29 2.61c-.73.72-1.33 1.11-1.8 1.17.09-.59.24-1.46.44-2.61s.47-2.4.81-3.76c.1-.4.24-.82.42-1.27.18-.45.38-1.09.58-1.91.12-.48.27-.9.44-1.25.17-.35.32-.76.43-1.21.13-.54.01-.95-.37-1.23s-.79-.45-1.23-.51c-.15.03-.28.06-.38.09-.11.03-.21.06-.3.08-.18.06-.35.12-.49.19-.15.07-.24.13-.28.19-.4.68-.71 1.37-.94 2.08-.23.71-.44 1.44-.64 2.21l-.39 1.47zm-12.45.38c1.2-2.32 2.52-4.67 3.97-7.05 0 .57-.01 1.13-.02 1.7-.01.57-.02 1.13-.02 1.7-.01.62-.05 1.23-.11 1.8-.06.58-.13 1.15-.22 1.72-1.93 0-3.13.04-3.6.13m-9.83 12.32c-.09.57.3.99 1.17 1.27.1.06.2.08.3.08h.28c.42 0 .75-.17.98-.51.71-1.05 1.57-2.62 2.58-4.72.455-.958.925-1.908 1.41-2.85.4-.76.73-1.37.99-1.83.76-.54 1.71-.88 2.85-1.02l2.95-.26c.21 1.44.22 3.24.06 5.4-.13 1.98.47 3.1 1.8 3.36.2 0 .57-.2 1.12-.6.59-.43.95-.92 1.09-1.49.08-.31.09-.71.04-1.19a97.536 97.536 0 01-.4-7.41c-.06-2.73-.02-5.77.1-9.11.08-.57.16-1.15.22-1.74.06-.6.12-1.18.18-1.74.11-1.36-.14-2.38-.77-3.06-.25-.26-.57-.38-.97-.38-.54 0-.94.2-1.21.6-.59.91-1.25 1.99-1.98 3.25-.72 1.26-1.54 2.74-2.44 4.44-2.07 3.88-3.53 6.51-4.39 7.9-.11.2-.41.35-.92.47-.5.09-.83.21-.99.38-.14.11-.23.25-.28.42-.04.17.1.41.42.72.3.28.42.54.36.76-.32.93-1.16 2.44-2.52 4.5-1.01 1.53-1.64 2.85-1.92 3.95l-.11.41z" fill="#25aec2" fill-rule="nonzero"/>
    <path d="M.11 77.93V75.1c0-.47.59-.84 1.32-.84h77.41c.73 0 1.32.38 1.32.84v2.83c0 .47-.59.84-1.32.84H1.42c-.72 0-1.31-.38-1.31-.84zm135.27 9.38l-.46 2.91c-.08.48-.79.83-1.6.78L90.3 88.69l-.41-.02-40.5-2.18-.33 2 40.57 2.18.31.02 44.66 2.4-1.23 7.87c-.68 4.35-5.48 5.55-5.48 5.55l-13.12 15.79s-6.81.54-14.65.67c-7.17.12-14.13-.28-15.34-.35-1.22-.06-8.19-.41-15.2-1.29-7.67-.97-14.2-2.23-14.2-2.23l-3.57-7.57c-4.64.13-10.98.3-11.67.3-1.09.01-7.32.03-13.67-.46-6.94-.53-12.91-1.41-12.91-1.41L4.09 94.03S0 92.62 0 88.38v-7.66h80.25v2.76l10.36.56 43.44 2.34c.8.03 1.4.46 1.33.93zM11.5 90.2c2.69 0 4.88-1.4 4.88-3.13s-2.19-3.13-4.88-3.13c-2.7 0-4.88 1.4-4.88 3.13-.01 1.73 2.18 3.13 4.88 3.13zm108.72 11.93c3.01.16 5.68-1.14 5.96-2.92.28-1.77-1.94-3.34-4.95-3.5-3.01-.16-5.68 1.14-5.96 2.92-.27 1.77 1.94 3.34 4.95 3.5zm-26.39 4.96l3.98 2.46 2-2.33c-2.19-.04-4.2-.08-5.98-.13zm-21.8-1.5c-8.38-.87-16.27-2.54-16.27-2.54l5.4 13.03s7.22 1.43 12.47 1.92c4.54.42 10.16.76 11.59.84.84.04 6.98.35 11.91.42 5.31.08 12.86-.56 12.86-.56l9.37-12.23s-8.28.81-16.79.77c-.48 0-.93-.01-1.4-.01l-.53 3.37 10.83-2.11-5.02 3.32 5.81 1.21-9.11.13 4.09 3.2-7.15-2.18-3.67 4.29-.79-4.53-9.34 2.19 6.54-3.54-6.16-2.13 6.19-1.23-1.82-2.2c-1.73-.06-2.99-.11-3.59-.14 0 0-.09-.01-.21-.01-.12-.01-.2-.01-.2-.01-1.62-.12-7.81-.52-15.01-1.27zm-15.77-6.9c3.01.16 5.68-1.14 5.96-2.92.51-3.21-2.16-3.35-4.95-3.5-3.01-.16-5.68 1.14-5.96 2.91-.27 1.78 1.94 3.35 4.95 3.51zm-8.88 3.49s-4.1-1.63-3.67-5.74c-1.52.01-2.22.02-3.4.03h-.37c-1.43-.01-6.99-.08-13.49-.42-7.56-.4-14.8-1.61-14.8-1.61l6.61 12.3s6.61 1.01 11.34 1.21c4.09.17 9.13.2 10.41.21.72 0 5.8-.02 10.09-.19l-2.72-5.79z" fill="url(#_Linear1)" fill-rule="nonzero" transform="translate(0 20)"/>
    <path d="M3.62 87.78c0 1.01.84 1.83 1.87 1.83h7.67c1.03 0 1.87-.82 1.87-1.83V80.7H3.62v7.08zm84.65-7.5l.31-.03 44.66-4.1-1.23-13.44c-.68-7.43-5.48-9.49-5.48-9.49l-13.12-26.98s-6.81-.93-14.65-1.15c-7.17-.21-14.13.47-15.34.6-1.2.1-8.02.68-14.94 2.15l-2.13-5.01c-1.11-.24-6.54-1.39-12.66-2.12-6.29-.75-12.46-.72-13.62-.71-1.18-.01-7.35-.04-13.63.7-6.11.72-11.52 1.87-12.65 2.12L4.36 47.27l-.14.07c-.16.08-3.87 2.15-3.87 8.32v11.38h42.14c-.18 1.11-.25 2.38-.12 3.83H1.36c-.5 0-.9.39-.9.88v4.35c0 .49.4.88.9.88h41.57c.4 4.38.68 7.39.68 7.39l44.66-4.09zm-32.34-2.74c-3.01.28-5.68-1.96-5.96-4.99-.28-3.02 1.94-5.7 4.95-5.98 3.01-.28 5.68 1.96 5.96 4.98.27 3.03-1.94 5.71-4.95 5.99zm36.56-25.32l3.98-4.2 2 3.99c-2.2.05-4.21.12-5.98.21zm32.34 13.45c.28 3.03-1.94 5.71-4.95 5.99-3.01.27-5.68-1.96-5.96-4.99-.28-3.02 1.94-5.71 4.95-5.98 3.001-.268 5.691 1.98 5.96 4.98zM83.88 32.15c.84-.07 6.98-.6 11.91-.73 5.31-.13 12.86.97 12.86.97l9.37 20.9s-8.28-1.38-16.79-1.31c-.48 0-.93.02-1.4.02l-.53-5.77 10.83 3.62-5.02-5.69 5.81-2.07-9.11-.21 4.09-5.47-7.15 3.72-3.67-7.34-.79 7.75-9.34-3.75 6.54 6.05-6.16 3.64 6.19 2.11-1.82 3.76c-1.73.1-2.99.2-3.59.24 0 0-.08.01-.21.02-.12.01-.2.02-.2.02-1.6.16-7.79.85-14.99 2.13-8.38 1.49-16.27 4.35-16.27 4.35l5.41-22.25s7.22-2.45 12.47-3.29c4.5-.72 10.13-1.28 11.56-1.42zM11.43 62.08c-2.46 0-4.47-1.97-4.47-4.39s2-4.4 4.47-4.4c2.47 0 4.47 1.97 4.47 4.4 0 2.42-2.01 4.39-4.47 4.39zm28.81-18.45h-.36c-1.53.02-7.01.12-13.46.65-7.44.61-14.66 2.45-14.73 2.47l-.75.19 6.94-19.87.22-.05c.07-.02 6.7-1.56 11.4-1.87 4.04-.27 9.01-.31 10.44-.32 1.03 0 6.34.04 10.66.32 4.7.31 11.34 1.86 11.41 1.87l.23.05.64 2.07c-5.13 1.31-8.87 2.55-8.87 2.55L50.6 44.06c-5.26-.34-9.46-.42-10.36-.43zm7.45 54.84l.04 2.11c0 1.42 1.15 2.57 2.56 2.57l8.61.02c1.41 0 2.56-1.15 2.55-2.57l-.05-3.39-13.71 1.26zm69.01 2.23c0 1.42 1.15 2.58 2.56 2.58l8.61.02c1.41 0 2.56-1.15 2.55-2.57l.03-9.86-13.78 1.26.03 8.57zm16.87-19.66c-.08-.82-.79-1.41-1.6-1.34l-43.02 3.95-.41.04-43.02 3.95c-.81.07-1.41.79-1.33 1.61l.46 4.97c.07.81.79 1.41 1.6 1.34l43.02-3.95 43.44-3.99c.81-.07 1.41-.8 1.33-1.61l-.47-4.97z" fill-rule="nonzero"/>
    <defs>
        <linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="rotate(90 -3.3 71) scale(48.7)">
            <stop offset="0" stop-opacity=".1"/>
            <stop offset="1" stop-opacity="0"/>
        </linearGradient>
    </defs>
</svg>

RaptorCZ avatar Jun 11 '21 17:06 RaptorCZ

You'll have to use events:

sanitizer.RemovingTag += (s, e) => e.Cancel = e.Tag is AngleSharp.Svg.Dom.SvgElement;
sanitizer.RemovingAttribute += (s, e) => e.Cancel = e.Tag is AngleSharp.Svg.Dom.SvgElement;

mganss avatar Jun 12 '21 09:06 mganss

ok and any way to keep svg and prevent <svg/onload=alert()> xss?

RaptorCZ avatar Aug 12 '21 12:08 RaptorCZ

If you want to keep the event-based approach allowing all SVG elements and their attributes, you'll have to implement your own logic. Something like this:

sanitizer.RemovingAttribute += (s, e) => e.Cancel = e.Tag is AngleSharp.Svg.Dom.SvgElement
    && !e.Attribute.Name.StartsWith("on");

Another option that aligns better with the original design of the sanitizer is to add all the elements and attributes you actually want to allow to AllowedTags and AllowedAttributes.

Do you really want to allow user contributed SVG?

mganss avatar Aug 12 '21 16:08 mganss

Well, this is not exactly about SVG itself. I need to sanitize html parts in CMS that can contain SVG sprites. And also I need sanitize inputs to prevent user enter some types of XSS strings. Img onLoad and SVG onLoad is just an example.

RaptorCZ avatar Aug 12 '21 17:08 RaptorCZ

So users should be allowed to enter SVG?

mganss avatar Aug 12 '21 17:08 mganss

User can enter any text to form inputs, but some are rendered back as html. So I need to strip XSS attempts. Pentesters are using OWASP samples and <svg/onload is almost the same as any script tag. Text from all inputs and other sources should be sanitized with one helper function. Some texts are external and can contain SVG parts, mostly icons, with user entered texts.

So for now I just need to strip onload attributes from and <svg/onload=""> strings and keep svg. It is not possible to have mutiple sanitize functions with strip all svg and keep safe parts of svg.

RaptorCZ avatar Aug 12 '21 17:08 RaptorCZ

If user entered SVG is really a possible source of XSS then it's probably best to compile a list of elements and attributes you want to allow and add these to AllowedTags and AllowedAttributes.

mganss avatar Aug 13 '21 09:08 mganss