Merge pull request #635 from highcharts/stable

Fix: remove all xlink:href attributes in incoming SVG
highcharts · Feb 19, 2025 · a723e4d · a723e4d
2 parents 48d3794 + c7349b2
commit a723e4d
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/sanitize.js b/lib/sanitize.js
@@ -31,7 +31,11 @@ import DOMPurify from 'dompurify';
 export function sanitize(input) {
   const window = new JSDOM('').window;
   const purify = DOMPurify(window);
-  return purify.sanitize(input, { ADD_TAGS: ['foreignObject'] });
+  return purify.sanitize(input, {
+    ADD_TAGS: ['foreignObject'],
+    // Dissalow all xlinks in incoming SVG
+    FORBID_ATTR: ['xlink:href']
+  });
 }
 
 export default sanitize;