How to define my allowlist for SVG attributes? (K3.6, Sane class)

Kirby 3 Solved ✅
1

Kirby 3.6 throws an error The "viewbox" attribute (line 1) is not allowed: Not included in the global allowlist (from: /src/Toolkit/Dom.php, line 741; sanitizeAttr function) when I try to do the following:

// attach the SVG image to the page
$svgfile = $page->createFile([
    'filename' => 'track.svg',
    'source' => $tempfile,
    'template' => 'tracksvg',
]);

The SVG file is stored under path $tempfile and looks like this:

<svg xmlns="http://www.w3.org/2000/svg" version="1.1" viewbox="0 0 1000 1000">
<g>
<path d="M 893 19 893 19 894 19 893 20 892 22 887 26" style="fill:none;stroke:black"/>
</g>
</svg>

Since my solution worked fine in 3.5, I assume this is related to the new sanitization features of the Sane class mentioned in the release notes, but I can’t figure out how to declare viewbox a permitted attribute for SVG files. Is this “allowlist” feature already documented somewhere? Thank you :slight_smile:

2

Hm, the viewbox attribute is in the list of $allowedAttrs, see /kirby/src/Sane/Svg.php, :thinking:.

But that probably doesn’t count as the global allowlist? Seems a bit weird.

Ping @lukasbestle

3

The attribute is called viewBox with a capital B. Since XML is case-sensitive, the Sane and Dom classes also handle the allowed attributes case-sensitively. Kirby 3.5 used in_array() for this, which also treats the items case-sensitively, so as far as I can tell there was no change to this behavior.

What I wonder is: Does viewbox with a lowercase B actually work? Browsers and SVG editors should ignore it as it uses the wrong case, but it could be that some implementations still support it for compatibility.

To answer your original question: You can add additional allowed attributes to the global allowlist in Kirby\Sane\Svg::$allowedAttrs or you can allow it for specific tags with Kirby\Sane\Svg::$allowedTags['svg'] = ['viewbox'].

4

@lukasbestle Thanks, your eyes are definitely better than mine!

1 Like
5

Such an obvious mistake, yet so hard to spot – thank you for pointing it out! …talk about not seeing the wood for the trees :see_no_evil:

Not empirically valid observations, but I at least hadn’t noticed any issues with those SVGs (which Sane, up to K3.5.7.1, indeed never complained about before; that script churned out hundreds of them per year). Will of course fix them asap, as that is not valid SVG markup.

Thank you, great to know!

…in case anybody else ever ends up here via search: I just recalled that you provided somewhat related tips on configuring the Sane class over on a Github issue on GPX files a while back.