Uploading SVG with viewbox attribute fails

Hi helpful folks,
I’m enjoying Kirby 3.9.2 with a local PHP 8.1.12 on OSX but got into trouble uploading an .svg though the panel. The error message is:

The “viewbox” attribute (line 8) is not allowed: Not included in the global allowlist

After removing the attribute the upload is fine, but the svg is not displayed
Therefore I added it again to the file, after upload.

My question:

1. Is there a security risk having ‘viewbox’ in my svg-file? Just curious after checking the discussion here

2. How can I edit the ‘global allowlist’ as stated in the error message? Should I?

Here are the first 8 lines of the file. The svg was created with a probably old version of CorelDraw…

 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve"
            version="1.1" style="
      shape-rendering: geometricPrecision;
      text-rendering: geometricPrecision;
      image-rendering: optimizeQuality;
      fill-rule: evenodd;
      clip-rule: evenodd;
    "  **viewbox="0 0 1080 800"** >

Cheers,
Johannes

Hm, viewBox is in the list of allowed attributes, however, with camelCase not like in your example without.

So you would have to add it to the Kirby\Sane\Svg::$allowedAttributes array like described in the thread you linked above. Or change the spelling of your svg attribute.

Changing the attribute from viewbox to viewBox had the great side effect, that the dimensions and file preview works now. I guess this is somewhere else to fix?

Bildschirmfoto 2023-05-05 um 21.48.391128×204 9.87 KB

They remain 0x0 for the svg with lowercase “viewbox”.

Also, I added viewbox to the allowedAttributes and upload works fine.

Thank you for the quick reply!

The attribute is actually called viewBox, not viewbox, no idea why your svgs have it is as all lower case attribute: viewBox - SVG: Scalable Vector Graphics | MDN