Skip to content

CRAFT 1586 | inline svg - use DOMPurify instead of maintaining custom dom sanitization code #433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 15, 2025
Merged

CRAFT 1586 | inline svg - use DOMPurify instead of maintaining custom dom sanitization code #433

merged 1 commit into from
Sep 15, 2025

Conversation

ByronDWall
Copy link
Contributor

Use dompurify instead of custom parsing solution so that:

  • malicious/malformed attrs are removed from the svg but the svg is still displayed
  • we do not have to maintain and test a custom sanitization workflow

DOMPurify is not causing the svg's in uikit to be styled incorrectly. The issue is with uikit styling set on all icons by the getIconStyle util, whichs adds a fill to all child tags of an svg unless the tag specifically has (fill='none') set on the tag.

Therefore I think it makes sense to use DOMPurify over a custom sanitization method.

@ByronDWall
feat(inline svg): use dompurify instead of custom parsing solution so…
37e32dc 
… that malicious/malformed attrs are removed from the svg but the svg is still displayed
@ByronDWall ByronDWall self-assigned this Sep 12, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 12, 2025

⚠️ No Changeset found

Latest commit: 37e32dc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Sep 12, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
nimbus-documentation Ready Ready Preview Comment Sep 12, 2025 4:05pm
nimbus-storybook Ready Ready Preview Comment Sep 12, 2025 4:05pm

@ByronDWall ByronDWall mentioned this pull request Sep 12, 2025
Merged
@misama-ct misama-ct merged commit f45da4e into CRAFT-1586-nimbus-component-inline-svg Sep 15, 2025
4 checks passed
@misama-ct misama-ct deleted the bw/dompurify-inline-svg branch September 15, 2025 08:52
misama-ct pushed a commit that referenced this pull request Sep 16, 2025
@ByronDWall @misama-ct
CRAFT 1586 | inline svg - use DOMPurify instead of maintaining custom…
c6e636e 
… dom sanitization code (#433)

feat(inline svg): use dompurify instead of custom parsing solution so that malicious/malformed attrs are removed from the svg but the svg is still displayed
misama-ct added a commit that referenced this pull request Sep 17, 2025
@misama-ct @ByronDWall
CRAFT-1586: feat(inline-svg): introduce InlineSvg component (#382)
014f9be 
* feat(inline-svg): introduce InlineSvg component for rendering sanitized SVGs

- Added InlineSvg component to render arbitrary SVG markup with built-in XSS protection.
- Implemented sanitization logic to remove potentially dangerous elements and attributes.
- Included accessibility features with title and description support.
- Created associated stories and documentation for usage examples and testing.

This addition enhances the component library by providing a secure and flexible way to handle SVGs.

* refactor(inline-svg): simplify InlineSvg component and enhance sanitization

- Removed deprecated props (title, description, preserveViewBox) from InlineSvg component.
- Updated sanitization logic to utilize constants for forbidden tags and attributes.
- Improved accessibility handling by rendering SVGs with role="presentation" and preserving title/description directly in SVG markup.
- Refactored related stories and documentation to reflect changes in props and accessibility features.
- Introduced new hooks for better SVG handling and sanitization.

* feat(inline-svg): add useInlineSvg hook for SVG processing and sanitization

- Introduced a new hook, useInlineSvg, to handle the processing and sanitization of raw SVG data.
- The hook utilizes useMemo for performance optimization and checks for DOM availability.
- Implements sanitization logic to ensure safe SVG rendering, extracting and preserving specific attributes.
- Returns processed SVG attributes, content, and a validation status for improved SVG handling in components.

* refactor(inline-svg): update forbidden attributes in sanitization constants

- Removed explicit listing of event handler attributes from DEFAULT_FORBIDDEN_ATTRIBUTES.
- Added a note clarifying that event handlers are blocked by pattern matching in sanitize-svg.ts.
- Streamlined the sanitization constants for improved clarity and maintainability.

* refactor(inline-svg): update ALLOWED_PROTOCOLS and clarify forbidden attributes

- Added "//" to ALLOWED_PROTOCOLS for improved URL handling.
- Clarified the note regarding event handler attributes in DEFAULT_FORBIDDEN_ATTRIBUTES for better understanding of sanitization logic.

* refactor(inline-svg): update component structure and enhance sanitization

- Moved InlineSvg component from Media to Components menu for better organization.
- Updated color props from "primary.500" to "primary.9" and similar adjustments for other colors to align with new design standards.
- Improved sanitization logic by removing deprecated constants and ensuring all attributes are preserved correctly.
- Enhanced stories to reflect changes in color usage and added tests for SVG sanitization against malicious content.
- Removed unused examples and streamlined the documentation for clarity.

* refactor(inline-svg): simplify InlineSvg component and add ref support

- Removed forwardRef from InlineSvg component for a cleaner structure.
- Added ref prop to InlineSvgProps interface to allow direct access to the SVG element.
- Streamlined the component logic while maintaining sanitization checks for SVG rendering.

* refactor(inline-svg): enhance component functionality and documentation

- Updated InlineSvg component to always render as an SVG, removing support for 'as' and 'asChild' props.
- Improved documentation to clarify the use of predefined and custom sizes for SVGs.
- Enhanced example usage in stories to demonstrate various size options and sanitization of SVG content.
- Updated InlineSvgProps interface to exclude 'as' and 'asChild' from prop types for better type safety.

* refactor(inline-svg): remove className prop from InlineSvgProps interface

* CRAFT 1586 | inline svg - use DOMPurify instead of maintaining custom dom sanitization code (#433)

feat(inline svg): use dompurify instead of custom parsing solution so that malicious/malformed attrs are removed from the svg but the svg is still displayed

* chore(changeset): add changeset for InlineSvg component addition

---------

Co-authored-by: Byron Wall <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaikamat jaikamat jaikamat approved these changes

@misama-ct misama-ct Awaiting requested review from misama-ct

Assignees

@ByronDWall ByronDWall

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ByronDWall @jaikamat @misama-ct