From c7349b2a250096f0a0297ea6faf1a126d743234d Mon Sep 17 00:00:00 2001
From: "Chris M. Vasseng" <chris@vasseng.com>
Date: Wed, 19 Feb 2025 18:28:10 +0100
Subject: [PATCH] Fix: remove all xlink:href attributes in incoming SVG

---
 lib/sanitize.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/sanitize.js b/lib/sanitize.js
index 42ffa5bc..5fab819a 100644
--- a/lib/sanitize.js
+++ b/lib/sanitize.js
@@ -31,7 +31,11 @@ import DOMPurify from 'dompurify';
 export function sanitize(input) {
   const window = new JSDOM('').window;
   const purify = DOMPurify(window);
-  return purify.sanitize(input, { ADD_TAGS: ['foreignObject'] });
+  return purify.sanitize(input, {
+    ADD_TAGS: ['foreignObject'],
+    // Dissalow all xlinks in incoming SVG
+    FORBID_ATTR: ['xlink:href']
+  });
 }
 
 export default sanitize;