rusackas commented on code in PR #34764:
URL: https://github.com/apache/superset/pull/34764#discussion_r2291517238
##########
superset/utils/core.py:
##########
@@ -521,6 +521,70 @@ def markdown(raw: str, markup_wrap: bool | None = False)
-> str:
return safe
+def sanitize_svg_content(svg_content: str) -> str:
+ """Basic SVG protection - remove obvious XSS vectors, trust admin input
otherwise.
+
+ Minimal protection approach that removes scripts and javascript: URLs while
+ preserving all legitimate SVG features. Assumes admin-provided content.
+
+ Args:
+ svg_content: Raw SVG content string
+
+ Returns:
+ str: SVG content with obvious XSS vectors removed
+ """
+ if not svg_content or not svg_content.strip():
+ return ""
+
+ # Minimal protection: remove obvious malicious content, preserve all SVG
features
+ content = re.sub(
+ r"<script[^>]*>.*?</script>", "", svg_content, flags=re.IGNORECASE |
re.DOTALL
Review Comment:
Need to look for onClick, onMouseover, onSubmit, etc.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
