Fix: remove all xlink:href attributes in incoming SVG

highcharts · Feb 19, 2025 · c7349b2 · c7349b2
1 parent 48d3794
commit c7349b2
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/sanitize.js b/lib/sanitize.js
@@ -31,7 +31,11 @@ import DOMPurify from 'dompurify';
 export function sanitize(input) {
   const window = new JSDOM('').window;
   const purify = DOMPurify(window);
-  return purify.sanitize(input, { ADD_TAGS: ['foreignObject'] });
+  return purify.sanitize(input, {
+    ADD_TAGS: ['foreignObject'],
+    // Dissalow all xlinks in incoming SVG
+    FORBID_ATTR: ['xlink:href']
+  });
 }
 
 export default sanitize;