jsvg icon indicating copy to clipboard operation
jsvg copied to clipboard
verified publisher icon weisJ

Entity references not supported

Open eirikbakke opened this issue 1 year ago • 2 comments

Greetings! Thank you very much for authoring the excellent JSVG library. In https://github.com/apache/netbeans/pull/7941, we are in the process of switching the NetBeans IDE from Batik to JSVG for icon rendering.

I encountered one problem that was easy to work around; I thought I would document it here in case anyone else encounters it. Feel free to close the issue if it's not worth fixing.

Bug:

SVG files generated by Adobe Illustrator using the "Style Attributes (Entity References)" option show up with correct shapes, but all-black, when rendered with JSVG.

image

Now as it turns out, in recent versions of Adobe Illustrator, the Entity References option is now explicitly labeled as deprecated. So it may not really be necessary to support these kinds of SVGs. The problem could occur when trying to load older SVG files, though.

illustrator_styleattentityrefs

Workaround:

The easy workaround is to simply use another setting when generating the SVG file from Illustrator. The two other settings available are "Style Elements" and "Style Attributes", and they both seem to be working fine with JSVG.

I have attached SVGs generated using each of the three options in case it is useful. The three files were all generated with the same recent version of Adobe Illustrator (version 28.7.2). The "findDropdown_styleattentityrefs.svg" file is the one that does not work with JSVG.

findDropdown_styleattentityrefs.svg: findDropdown_styleattentityrefs findDropdown_styleattributes.svg: findDropdown_styleattributes findDropdown_styleelements.svg: findDropdown_styleelements

eirikbakke avatar Nov 09 '24 22:11 eirikbakke

I don't think that entity references are something I like to support. They won't be part of the newer SVG 2.0 specification. The only "addition" they give is being able to import external definitions, which has been a security risk with other implementations in the past.

Will leave this open for now just to make it more discoverable (until Adobe has removed the option).

weisJ avatar Nov 15 '24 14:11 weisJ

Yeah, makes sense! Agree wrt. loading of external resources too... I always disable anything like that when parsing XML formats.

eirikbakke avatar Nov 15 '24 14:11 eirikbakke

FWIW, the entities declared in the internal subset are expanded automatically by default – they don't require external resource access. I'm currently not seeing a problem loading and rendering "findDropdown_styleattentityrefs.svg" with JVG, for example.

stanio avatar Apr 19 '25 22:04 stanio

I suppose this is because you use a custom configured input factory where IS_REPLACING_ENTITY_REFERENCES isn’t disabled. I have deliberately disabled it due to possible DOS attacks through files looking like this:


<!DOCTYPE svg [
  <!ENTITY e1 "<rect x='0' y='0' width='20' height='20' fill='blue'/>">
  <!ENTITY e2 "&e1;&e1;&e1;&e1;&e1;">
  <!ENTITY e3 "&e2;&e2;&e2;&e2;&e2;">
  <!ENTITY e4 "&e3;&e3;&e3;&e3;&e3;">
  <!ENTITY e5 "&e4;&e4;&e4;&e4;&e4;">
]>
<svg xmlns="http://www.w3.org/2000/svg" width="1000" height="1000">
  &e5;
</svg>

weisJ avatar Apr 20 '25 07:04 weisJ

Ah, sorry. Seems I've been testing with the wrong SVG file.

As far as I see now, it is not the IS_REPLACING_ENTITY_REFERENCES setting affecting the result, but SUPPORT_DTD=false:

https://github.com/weisJ/jsvg/blob/c0aa6d18a17b8a6ccd184dd48aab07d2ead0e8c9/jsvg/src/main/java/com/github/weisj/jsvg/parser/impl/StaxSVGLoader.java#L69

I don't think setting this by default is necessary as long as IS_SUPPORTING_EXTERNAL_ENTITIES=false, but that's just my opinion.

As you point out that I'm using a custom configuration, it is now possible with JSVG 2.0.0-RC: 8b3ec2375dfd / #124.

stanio avatar Apr 20 '25 09:04 stanio

Good point. I’ll add an example to the documentation on how to use a custom XMLInputFactory

weisJ avatar Apr 20 '25 17:04 weisJ