User talk:Aarchiba/SVG sanitizer

Latest comment: 11 years ago by Cwebber in topic License?

License?

edit

Heya,

This looks awesome. What license is it under? Maybe we could use it for MediaGoblin...

--Cwebber (talk) 17:53, 12 May 2013 (UTC)Reply

Best pracices via DTD?

edit

The best way to do a SVG sanitizer is to create a custom DTD with no event tags or script tags, and then validate against the DTD. That way you only allow known safe tags, as opposed to trying to eliminate unsafe tags. Jrincayc 12:35, 24 August 2005 (UTC)Reply

Illegal xml

edit

After fixing the following file (by adding a xmlns:xlink="http://www.w3.org/1999/xlink" declaration to the root svg element), your script seems to transform it into illegal XML with elements from namespaces which have been removed:

http://wiki.services.openoffice.org/twiki/pub/Main/SVGUserExperiences/Topologyanon.svg

-- Hauix 12:38, 7 October 2005 (UTC).Reply

XSLT?

edit

Just an (incomplete) idea:

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
  xmlns:svg="http://www.w3.org/2000/svg"
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

  <xsl:template match="svg:script"/>

  <xsl:template match="*">
    <xsl:copy>
      <xsl:for-each select="@*">
        <xsl:if test="not(name() = 'onabort' or name() = 'onload')"> <!-- etc. -->
          <xsl:copy/>
	</xsl:if>
      </xsl:for-each>
    </xsl:copy>
  </xsl:template>

</xsl:stylesheet>

Could even get the client itself to do the sanitizing by putting a processor instruction at the beginning of the SVG. —Fleminra 06:17, 29 January 2006 (UTC)Reply