Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SVG policy #196

Closed
kensanata opened this issue Nov 8, 2023 · 1 comment
Closed

SVG policy #196

kensanata opened this issue Nov 8, 2023 · 1 comment

Comments

@kensanata
Copy link

kensanata commented Nov 8, 2023
edited

Is there somebody who has a SVG policy to merge into an existing one?

I started writing something like the following. Any thoughts on what to exclude to make it safer? For the moment I removed the "script" element and the attributes "crossorigin", "ping" and all attributes starting with "on".

Perhaps this is a policy that could be added since SVG can mixed with HTML.

	policy.AllowNoAttrs().OnElements("defs")
	policy.AllowAttrs("alignment-baseline", "baseline-shift", "clip-path", "clip-rule", "color", "color-interpolation", "color-interpolation-filters", "cursor", "direction", "display", "dominant-baseline", "fill-opacity", "fill-rule", "filter", "flood-color", "flood-opacity", "font-family", "font-size", "font-size-adjust", "font-stretch", "font-style", "font-variant", "font-weight", "glyph-orientation-horizontal", "glyph-orientation-vertical", "image-rendering", "letter-spacing", "lighting-color", "marker-end", "marker-mid", "marker-start", "mask", "mask-type", "opacity", "overflow", "paint-order", "pointer-events", "shape-rendering", "stop-color", "stop-opacity", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "text-anchor", "text-decoration", "text-overflow", "text-rendering", "transform-origin", "unicode-bidi", "vector-effect", "visibility", "white-space", "word-spacing", "writing-mode").Globally() // SVG elements
	policy.AllowAttrs("accumulate", "additive", "by", "calcMode", "from", "keySplines", "keyTimes", "values").OnElements("animate", "animateMotion", "animateTransform")
	policy.AllowAttrs("amplitude").OnElements("feFuncA", "feFuncB", "feFuncG", "feFuncR")
	policy.AllowAttrs("aria-activedescendant", "aria-atomic", "aria-autocomplete", "aria-busy", "aria-checked", "aria-colcount", "aria-colindex", "aria-colspan", "aria-controls", "aria-current", "aria-describedby", "aria-details", "aria-disabled", "aria-dropeffect", "aria-errormessage", "aria-expanded", "aria-flowto", "aria-grabbed", "aria-haspopup", "aria-hidden", "aria-invalid", "aria-keyshortcuts", "aria-label", "aria-labelledby", "aria-level", "aria-live", "aria-modal", "aria-multiline", "aria-multiselectable", "aria-orientation", "aria-owns", "aria-placeholder", "aria-posinset", "aria-pressed", "aria-readonly", "aria-relevant", "aria-required", "aria-roledescription", "aria-rowcount", "aria-rowindex", "aria-rowspan", "aria-selected", "aria-setsize", "aria-sort", "aria-valuemax", "aria-valuemin", "aria-valuenow", "aria-valuetext", "role").OnElements("a", "circle", "discard", "ellipse", "foreignObject", "g", "image", "line", "path", "polygon", "polyline", "rect", "svg", "switch", "symbol", "text", "textPath", "tspan", "use", "view")
	policy.AllowAttrs("attributeName").OnElements("animate", "animateTransform", "set")
	policy.AllowAttrs("autofocus").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "foreignObject", "g", "image", "line", "linearGradient", "marker", "mask", "metadata", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "stop", "style", "svg", "switch", "symbol", "text", "textPath", "title", "tspan", "use", "view")
	policy.AllowAttrs("azimuth", "elevation").OnElements("feDistantLight")
	policy.AllowAttrs("baseFrequency", "numOctaves", "seed", "stitchTiles").OnElements("feTurbulence")
	policy.AllowAttrs("begin").OnElements("animate", "animateMotion", "animateTransform", "set", "discard")
	policy.AllowAttrs("bias", "divisor", "kernelMatrix", "order", "preserveAlpha", "targetX", "targetY").OnElements("feConvolveMatrix")
	policy.AllowAttrs("class").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "foreignObject", "g", "image", "line", "linearGradient", "marker", "mask", "metadata", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "stop", "style", "svg", "switch", "symbol", "text", "textPath", "title", "tspan", "use", "view")
	policy.AllowAttrs("clipPathUnits").OnElements("clipPath")
	policy.AllowAttrs("cx", "cy").OnElements("circle", "ellipse", "radialGradient")
	policy.AllowAttrs("d").OnElements("path")
	policy.AllowAttrs("diffuseConstant").OnElements("feDiffuseLighting")
	policy.AllowAttrs("download").OnElements("a")
	policy.AllowAttrs("dur").OnElements("animate", "animateMotion", "animateTransform", "set")
	policy.AllowAttrs("dx", "dy").OnElements("feDropShadow", "feOffset", "text", "tspan")
	policy.AllowAttrs("edgeMode").OnElements("feConvolveMatrix", "feGaussianBlur")
	policy.AllowAttrs("end").OnElements("animate", "animateMotion", "animateTransform", "set")
	policy.AllowAttrs("exponent").OnElements("feFuncA", "feFuncB", "feFuncG", "feFuncR")
	policy.AllowAttrs("fill").Globally() // at least for all SVG elements
	policy.AllowAttrs("filterUnits").OnElements("filter")
	policy.AllowAttrs("fr", "fx", "fy").OnElements("radialGradient")
	policy.AllowAttrs("gradientTransform", "gradientUnits").OnElements("linearGradient", "radialGradient")
	policy.AllowAttrs("height").OnElements("feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDropShadow", "feFlood", "feGaussianBlur", "feImage", "feMerge", "feMorphology", "feOffset", "feSpecularLighting", "feTile", "feTurbulence", "filter", "mask", "pattern", "foreignObject", "image", "rect", "svg", "symbol", "use")
	policy.AllowAttrs("href").OnElements("a", "animate", "animateMotion", "animateTransform", "set", "discard", "feImage", "image", "linearGradient", "mpath", "pattern", "radialGradient", "textPath", "use")
	policy.AllowAttrs("hreflang").OnElements("a")
	policy.AllowAttrs("id").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "foreignObject", "g", "image", "line", "linearGradient", "marker", "mask", "metadata", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "stop", "style", "svg", "switch", "symbol", "text", "textPath", "title", "tspan", "use", "view")
	policy.AllowAttrs("in").OnElements("feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDropShadow", "feGaussianBlur", "feMergeNode", "feMorphology", "feOffset", "feSpecularLighting", "feTile")
	policy.AllowAttrs("in2").OnElements("feBlend", "feComposite", "feDisplacementMap")
	policy.AllowAttrs("intercept").OnElements("feFuncA", "feFuncB", "feFuncG", "feFuncR")
	policy.AllowAttrs("k1", "k2", "k3", "k4").OnElements("feComposite")
	policy.AllowAttrs("kernelUnitLength").OnElements("feConvolveMatrix", "feDiffuseLighting", "feSpecularLighting")
	policy.AllowAttrs("keyPoints").OnElements("animateMotion")
	policy.AllowAttrs("lang").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "foreignObject", "g", "image", "line", "linearGradient", "marker", "mask", "metadata", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "stop", "style", "svg", "switch", "symbol", "text", "textPath", "title", "tspan", "use", "view")
	policy.AllowAttrs("lengthAdjust").OnElements("text", "textPath", "tspan")
	policy.AllowAttrs("limitingConeAngle").OnElements("feSpotLight")
	policy.AllowAttrs("markerHeight", "markerUnits", "markerWidth").OnElements("marker")
	policy.AllowAttrs("maskContentUnits", "mask").OnElements("maskUnits")
	policy.AllowAttrs("max").OnElements("animate", "animateMotion", "animateTransform", "set")
	policy.AllowAttrs("media").OnElements("style")
	policy.AllowAttrs("method").OnElements("textPath")
	policy.AllowAttrs("min").OnElements("animate", "animateMotion", "animateTransform", "set")
	policy.AllowAttrs("mode").OnElements("feBlend")
	policy.AllowAttrs("offset").OnElements("feFuncA", "feFuncB", "feFuncG", "feFuncR", "stop")
	policy.AllowAttrs("operator").OnElements("feComposite", "feMorphology")
	policy.AllowAttrs("orient").OnElements("marker")
	policy.AllowAttrs("origin").OnElements("animateMotion")
	policy.AllowAttrs("path").OnElements("animateMotion", "textPath")
	policy.AllowAttrs("pathLength").OnElements("circle", "ellipse", "line", "path", "polygon", "polyline", "rect")
	policy.AllowAttrs("patternContentUnits", "pattern").OnElements("patternTransform")
	policy.AllowAttrs("patternUnits").OnElements("pattern")
	policy.AllowAttrs("playbackorder", "timelinebegin", "transform").OnElements("svg")
	policy.AllowAttrs("points").OnElements("polygon", "polyline")
	policy.AllowAttrs("pointsAtX", "feSpotLight").OnElements("pointsAtY")
	policy.AllowAttrs("pointsAtZ").OnElements("feSpotLight")
	policy.AllowAttrs("preserveAspectRatio").OnElements("feImage", "image", "marker", "pattern", "svg", "symbol", "view")
	policy.AllowAttrs("primitiveUnits").OnElements("filter")
	policy.AllowAttrs("r").OnElements("circle", "radialGradient")
	policy.AllowAttrs("rx", "ry").OnElements("ellipse", "rect")
	policy.AllowAttrs("radius").OnElements("feMorphology")
	policy.AllowAttrs("refX", "marker", "symbol").OnElements("refY")
	policy.AllowAttrs("referrerpolicy", "a").OnElements("rel")
	policy.AllowAttrs("repeatCount", "animate", "animateMotion", "animateTransform", "set").OnElements("repeatDur")
	policy.AllowAttrs("requiredExtensions").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "discard", "ellipse", "foreignObject", "g", "image", "line", "mask", "path", "polygon", "polyline", "rect", "set", "svg", "switch", "text", "textPath", "tspan", "use")
	policy.AllowAttrs("restart").OnElements("animate", "animateMotion", "animateTransform", "set")
	policy.AllowAttrs("result").OnElements("feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDropShadow", "feFlood", "feGaussianBlur", "feImage", "feMerge", "feMorphology", "feOffset", "feSpecularLighting", "feTile", "feTurbulence")
	policy.AllowAttrs("rotate").OnElements("animateMotion", "text", "tspan")
	policy.AllowAttrs("scale").OnElements("feDisplacementMap")
	policy.AllowAttrs("side").OnElements("textPath")
	policy.AllowAttrs("slope").OnElements("feFuncA", "feFuncB", "feFuncG", "feFuncR")
	policy.AllowAttrs("spacing").OnElements("textPath")
	policy.AllowAttrs("specularConstant").OnElements("feSpecularLighting")
	policy.AllowAttrs("specularExponent").OnElements("feSpecularLighting", "feSpotLight")
	policy.AllowAttrs("spreadMethod").OnElements("linearGradient", "radialGradient")
	policy.AllowAttrs("startOffset").OnElements("textPath")
	policy.AllowAttrs("stdDeviation").OnElements("feDropShadow", "feGaussianBlur")
	policy.AllowAttrs("style").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "foreignObject", "g", "image", "line", "linearGradient", "marker", "mask", "metadata", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "stop", "style", "svg", "switch", "symbol", "text", "textPath", "title", "tspan", "use", "view")
	policy.AllowAttrs("surfaceScale").OnElements("feDiffuseLighting", "feSpecularLighting")
	policy.AllowAttrs("systemLanguage").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "discard", "ellipse", "foreignObject", "g", "image", "line", "mask", "path", "polygon", "polyline", "rect", "set", "svg", "switch", "text", "textPath", "tspan", "use")
	policy.AllowAttrs("tabindex").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "foreignObject", "g", "image", "line", "linearGradient", "marker", "mask", "metadata", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "stop", "style", "svg", "switch", "symbol", "text", "textPath", "title", "tspan", "use", "view")
	policy.AllowAttrs("tableValues").OnElements("feFuncA", "feFuncB", "feFuncG", "feFuncR")
	policy.AllowAttrs("target").OnElements("a")
	policy.AllowAttrs("textLength").OnElements("text", "textPath", "tspan")
	policy.AllowAttrs("title").OnElements("style")
	policy.AllowAttrs("to").OnElements("animate", "animateMotion", "animateTransform", "set")
	policy.AllowAttrs("transform").Globally() // for almost all SVG elements (with the exception of the pattern, linearGradient and radialGradient elements)
	policy.AllowAttrs("type").OnElements("a", "animateTransform", "feColorMatrix", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feTurbulence", "style")
	policy.AllowAttrs("values").OnElements("feColorMatrix")
	policy.AllowAttrs("viewBox").OnElements("marker", "pattern", "svg", "symbol", "view")
	policy.AllowAttrs("width").OnElements("feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDropShadow", "feFlood", "feGaussianBlur", "feImage", "feMerge", "feMorphology", "feOffset", "feSpecularLighting", "feTile", "feTurbulence", "filter", "mask", "pattern", "foreignObject", "image", "rect", "svg", "symbol", "use")
	policy.AllowAttrs("x").OnElements("feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDropShadow", "feFlood", "feGaussianBlur", "feImage", "feMerge", "feMorphology", "feOffset", "feSpecularLighting", "feTile", "feTurbulence", "fePointLight", "feSpotLight", "filter", "mask", "pattern", "text", "tspan", "foreignObject", "image", "rect", "svg", "symbol", "use")
	policy.AllowAttrs("x1", "x2", "y1", "y2").OnElements("line", "linearGradient")
	policy.AllowAttrs("xChannelSelector").OnElements("feDisplacementMap")
	policy.AllowAttrs("xlink:href").OnElements("a", "image", "linearGradient", "pattern", "radialGradient", "textPath", "use", "feImage")
	policy.AllowAttrs("xlink:title").OnElements("a", "image", "linearGradient", "pattern", "radialGradient", "textPath", "use")
	policy.AllowAttrs("xml:space").OnElements("a", "animate", "animateMotion", "animateTransform", "circle", "clipPath", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "foreignObject", "g", "image", "line", "linearGradient", "marker", "mask", "metadata", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "stop", "style", "svg", "switch", "symbol", "text", "textPath", "title", "tspan", "use", "view")
	policy.AllowAttrs("y").OnElements("feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDropShadow", "feFlood", "feGaussianBlur", "feImage", "feMerge", "feMorphology", "feOffset", "feSpecularLighting", "feTile", "feTurbulence", "fePointLight", "feSpotLight", "filter", "mask", "pattern", "text", "tspan", "foreignObject", "image", "rect", "svg", "symbol", "use")
	policy.AllowAttrs("yChannelSelector").OnElements("feDisplacementMap")
	policy.AllowAttrs("z").OnElements("fePointLight", "feSpotLight")
@0c0c0f
Copy link

0c0c0f commented Feb 1, 2024

bypass the policy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kensanata @0c0c0f