User talk:Aarchiba/SVG sanitizer
License?
editHeya,
This looks awesome. What license is it under? Maybe we could use it for MediaGoblin...
Best pracices via DTD?
editThe best way to do a SVG sanitizer is to create a custom DTD with no event tags or script tags, and then validate against the DTD. That way you only allow known safe tags, as opposed to trying to eliminate unsafe tags. Jrincayc 12:35, 24 August 2005 (UTC)
Illegal xml
editAfter fixing the following file (by adding a xmlns:xlink="http://www.w3.org/1999/xlink" declaration to the root svg element), your script seems to transform it into illegal XML with elements from namespaces which have been removed:
http://wiki.services.openoffice.org/twiki/pub/Main/SVGUserExperiences/Topologyanon.svg
XSLT?
editJust an (incomplete) idea:
<?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:svg="http://www.w3.org/2000/svg" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="svg:script"/> <xsl:template match="*"> <xsl:copy> <xsl:for-each select="@*"> <xsl:if test="not(name() = 'onabort' or name() = 'onload')"> <!-- etc. --> <xsl:copy/> </xsl:if> </xsl:for-each> </xsl:copy> </xsl:template> </xsl:stylesheet>
Could even get the client itself to do the sanitizing by putting a processor instruction at the beginning of the SVG. —Fleminra 06:17, 29 January 2006 (UTC)