Jump to content

User talk:Aarchiba/SVG sanitizer

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

License?

[edit]

Heya,

This looks awesome. What license is it under? Maybe we could use it for MediaGoblin...

--Cwebber (talk) 17:53, 12 May 2013 (UTC)[reply]

Best pracices via DTD?

[edit]

The best way to do a SVG sanitizer is to create a custom DTD with no event tags or script tags, and then validate against the DTD. That way you only allow known safe tags, as opposed to trying to eliminate unsafe tags. Jrincayc 12:35, 24 August 2005 (UTC)[reply]

Illegal xml

[edit]

After fixing the following file (by adding a xmlns:xlink="http://www.w3.org/1999/xlink" declaration to the root svg element), your script seems to transform it into illegal XML with elements from namespaces which have been removed:

http://wiki.services.openoffice.org/twiki/pub/Main/SVGUserExperiences/Topologyanon.svg

-- Hauix 12:38, 7 October 2005 (UTC).[reply]

XSLT?

[edit]

Just an (incomplete) idea:

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
  xmlns:svg="http://www.w3.org/2000/svg"
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

  <xsl:template match="svg:script"/>

  <xsl:template match="*">
    <xsl:copy>
      <xsl:for-each select="@*">
        <xsl:if test="not(name() = 'onabort' or name() = 'onload')"> <!-- etc. -->
          <xsl:copy/>
	</xsl:if>
      </xsl:for-each>
    </xsl:copy>
  </xsl:template>

</xsl:stylesheet>

Could even get the client itself to do the sanitizing by putting a processor instruction at the beginning of the SVG. —Fleminra 06:17, 29 January 2006 (UTC)[reply]