1 | /**
|
---|
2 | * Package: svgedit.sanitize
|
---|
3 | *
|
---|
4 | * Licensed under the Apache License, Version 2
|
---|
5 | *
|
---|
6 | * Copyright(c) 2010 Alexis Deveria
|
---|
7 | * Copyright(c) 2010 Jeff Schiller
|
---|
8 | */
|
---|
9 |
|
---|
10 | // Dependencies:
|
---|
11 | // 1) browser.js
|
---|
12 | // 2) svgutils.js
|
---|
13 |
|
---|
14 | var svgedit = svgedit || {};
|
---|
15 |
|
---|
16 | (function() {
|
---|
17 |
|
---|
18 | if (!svgedit.sanitize) {
|
---|
19 | svgedit.sanitize = {};
|
---|
20 | }
|
---|
21 |
|
---|
22 | // Namespace constants
|
---|
23 | var svgns = "http://www.w3.org/2000/svg",
|
---|
24 | xlinkns = "http://www.w3.org/1999/xlink",
|
---|
25 | xmlns = "http://www.w3.org/XML/1998/namespace",
|
---|
26 | xmlnsns = "http://www.w3.org/2000/xmlns/", // see http://www.w3.org/TR/REC-xml-names/#xmlReserved
|
---|
27 | se_ns = "http://svg-edit.googlecode.com",
|
---|
28 | htmlns = "http://www.w3.org/1999/xhtml",
|
---|
29 | mathns = "http://www.w3.org/1998/Math/MathML";
|
---|
30 |
|
---|
31 | // map namespace URIs to prefixes
|
---|
32 | var nsMap_ = {};
|
---|
33 | nsMap_[xlinkns] = 'xlink';
|
---|
34 | nsMap_[xmlns] = 'xml';
|
---|
35 | nsMap_[xmlnsns] = 'xmlns';
|
---|
36 | nsMap_[se_ns] = 'se';
|
---|
37 | nsMap_[htmlns] = 'xhtml';
|
---|
38 | nsMap_[mathns] = 'mathml';
|
---|
39 |
|
---|
40 | // map prefixes to namespace URIs
|
---|
41 | var nsRevMap_ = {};
|
---|
42 | $.each(nsMap_, function(key,value){
|
---|
43 | nsRevMap_[value] = key;
|
---|
44 | });
|
---|
45 |
|
---|
46 | // this defines which elements and attributes that we support
|
---|
47 | var svgWhiteList_ = {
|
---|
48 | // SVG Elements
|
---|
49 | "a": ["class", "clip-path", "clip-rule", "fill", "fill-opacity", "fill-rule", "filter", "id", "mask", "opacity", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform", "xlink:href", "xlink:title"],
|
---|
50 | "circle": ["class", "clip-path", "clip-rule", "cx", "cy", "fill", "fill-opacity", "fill-rule", "filter", "id", "mask", "opacity", "r", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform"],
|
---|
51 | "clipPath": ["class", "clipPathUnits", "id"],
|
---|
52 | "defs": [],
|
---|
53 | "style" : ["type"],
|
---|
54 | "desc": [],
|
---|
55 | "ellipse": ["class", "clip-path", "clip-rule", "cx", "cy", "fill", "fill-opacity", "fill-rule", "filter", "id", "mask", "opacity", "requiredFeatures", "rx", "ry", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform"],
|
---|
56 | "feGaussianBlur": ["class", "color-interpolation-filters", "id", "requiredFeatures", "stdDeviation"],
|
---|
57 | "filter": ["class", "color-interpolation-filters", "filterRes", "filterUnits", "height", "id", "primitiveUnits", "requiredFeatures", "width", "x", "xlink:href", "y"],
|
---|
58 | "foreignObject": ["class", "font-size", "height", "id", "opacity", "requiredFeatures", "style", "transform", "width", "x", "y"],
|
---|
59 | "g": ["class", "clip-path", "clip-rule", "id", "display", "fill", "fill-opacity", "fill-rule", "filter", "mask", "opacity", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform", "font-family", "font-size", "font-style", "font-weight", "text-anchor", "data-locked"],
|
---|
60 | "image": ["class", "clip-path", "clip-rule", "filter", "height", "id", "mask", "opacity", "requiredFeatures", "style", "systemLanguage", "transform", "width", "x", "xlink:href", "xlink:title", "y"],
|
---|
61 | "line": ["shape-rendering", "class", "clip-path", "clip-rule", "fill", "fill-opacity", "fill-rule", "filter", "id", "marker-end", "marker-mid", "marker-start", "mask", "opacity", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform", "x1", "x2", "y1", "y2"],
|
---|
62 | "linearGradient": ["class", "id", "gradientTransform", "gradientUnits", "requiredFeatures", "spreadMethod", "systemLanguage", "x1", "x2", "xlink:href", "y1", "y2"],
|
---|
63 | "marker": ["id", "class", "markerHeight", "markerUnits", "markerWidth", "orient", "preserveAspectRatio", "refX", "refY", "systemLanguage", "viewBox"],
|
---|
64 | "mask": ["class", "height", "id", "maskContentUnits", "maskUnits", "width", "x", "y"],
|
---|
65 | "metadata": ["class", "id"],
|
---|
66 | "path": ["class", "clip-path", "clip-rule", "d", "fill", "fill-opacity", "fill-rule", "filter", "id", "marker-end", "marker-mid", "marker-start", "mask", "opacity", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform"],
|
---|
67 | "pattern": ["class", "height", "id", "patternContentUnits", "patternTransform", "patternUnits", "requiredFeatures", "style", "systemLanguage", "viewBox", "width", "x", "xlink:href", "y"],
|
---|
68 | "polygon": ["class", "clip-path", "clip-rule", "id", "fill", "fill-opacity", "fill-rule", "filter", "id", "class", "marker-end", "marker-mid", "marker-start", "mask", "opacity", "points", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform"],
|
---|
69 | "polyline": ["class", "clip-path", "clip-rule", "id", "fill", "fill-opacity", "fill-rule", "filter", "marker-end", "marker-mid", "marker-start", "mask", "opacity", "points", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform"],
|
---|
70 | "radialGradient": ["class", "cx", "cy", "fx", "fy", "gradientTransform", "gradientUnits", "id", "r", "requiredFeatures", "spreadMethod", "systemLanguage", "xlink:href"],
|
---|
71 | "rect": ["shape-rendering", "class", "clip-path", "clip-rule", "fill", "fill-opacity", "fill-rule", "filter", "height", "id", "mask", "opacity", "requiredFeatures", "rx", "ry", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform", "width", "x", "y"],
|
---|
72 | "stop": ["class", "id", "offset", "requiredFeatures", "stop-color", "stop-opacity", "style", "systemLanguage"],
|
---|
73 | "svg": ["class", "clip-path", "clip-rule", "filter", "id", "height", "mask", "preserveAspectRatio", "requiredFeatures", "style", "systemLanguage", "viewBox", "width", "x", "xmlns", "xmlns:se", "xmlns:xlink", "y"],
|
---|
74 | "switch": ["class", "id", "requiredFeatures", "systemLanguage"],
|
---|
75 | "symbol": ["class", "fill", "fill-opacity", "fill-rule", "filter", "font-family", "font-size", "font-style", "font-weight", "id", "opacity", "preserveAspectRatio", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "transform", "viewBox"],
|
---|
76 | "text": ["class", "clip-path", "clip-rule", "fill", "fill-opacity", "fill-rule", "filter", "font-family", "font-size", "font-style", "font-weight", "id", "mask", "opacity", "requiredFeatures", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "text-anchor", "transform", "x", "xml:space", "y"],
|
---|
77 | "textPath": ["class", "id", "method", "requiredFeatures", "spacing", "startOffset", "style", "systemLanguage", "transform", "xlink:href"],
|
---|
78 | "title": [],
|
---|
79 | "tspan": ["class", "clip-path", "clip-rule", "dx", "dy", "fill", "fill-opacity", "fill-rule", "filter", "font-family", "font-size", "font-style", "font-weight", "id", "mask", "opacity", "requiredFeatures", "rotate", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "systemLanguage", "text-anchor", "textLength", "transform", "x", "xml:space", "y"],
|
---|
80 | "use": ["class", "clip-path", "clip-rule", "fill", "fill-opacity", "fill-rule", "filter", "height", "id", "mask", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "transform", "width", "x", "xlink:href", "y"],
|
---|
81 |
|
---|
82 | // MathML Elements
|
---|
83 | "annotation": ["encoding"],
|
---|
84 | "annotation-xml": ["encoding"],
|
---|
85 | "maction": ["actiontype", "other", "selection"],
|
---|
86 | "math": ["class", "id", "display", "xmlns"],
|
---|
87 | "menclose": ["notation"],
|
---|
88 | "merror": [],
|
---|
89 | "mfrac": ["linethickness"],
|
---|
90 | "mi": ["mathvariant"],
|
---|
91 | "mmultiscripts": [],
|
---|
92 | "mn": [],
|
---|
93 | "mo": ["fence", "lspace", "maxsize", "minsize", "rspace", "stretchy"],
|
---|
94 | "mover": [],
|
---|
95 | "mpadded": ["lspace", "width", "height", "depth", "voffset"],
|
---|
96 | "mphantom": [],
|
---|
97 | "mprescripts": [],
|
---|
98 | "mroot": [],
|
---|
99 | "mrow": ["xlink:href", "xlink:type", "xmlns:xlink"],
|
---|
100 | "mspace": ["depth", "height", "width"],
|
---|
101 | "msqrt": [],
|
---|
102 | "mstyle": ["displaystyle", "mathbackground", "mathcolor", "mathvariant", "scriptlevel"],
|
---|
103 | "msub": [],
|
---|
104 | "msubsup": [],
|
---|
105 | "msup": [],
|
---|
106 | "mtable": ["align", "columnalign", "columnlines", "columnspacing", "displaystyle", "equalcolumns", "equalrows", "frame", "rowalign", "rowlines", "rowspacing", "width"],
|
---|
107 | "mtd": ["columnalign", "columnspan", "rowalign", "rowspan"],
|
---|
108 | "mtext": [],
|
---|
109 | "mtr": ["columnalign", "rowalign"],
|
---|
110 | "munder": [],
|
---|
111 | "munderover": [],
|
---|
112 | "none": [],
|
---|
113 | "semantics": []
|
---|
114 | };
|
---|
115 |
|
---|
116 | // Produce a Namespace-aware version of svgWhitelist
|
---|
117 | var svgWhiteListNS_ = {};
|
---|
118 | $.each(svgWhiteList_, function(elt,atts){
|
---|
119 | var attNS = {};
|
---|
120 | $.each(atts, function(i, att){
|
---|
121 | if (att.indexOf(':') >= 0) {
|
---|
122 | var v = att.split(':');
|
---|
123 | attNS[v[1]] = nsRevMap_[v[0]];
|
---|
124 | } else {
|
---|
125 | attNS[att] = att == 'xmlns' ? xmlnsns : null;
|
---|
126 | }
|
---|
127 | });
|
---|
128 | svgWhiteListNS_[elt] = attNS;
|
---|
129 | });
|
---|
130 |
|
---|
131 | // temporarily expose these
|
---|
132 | svgedit.sanitize.getNSMap = function() { return nsMap_; }
|
---|
133 |
|
---|
134 | // Function: svgedit.sanitize.sanitizeSvg
|
---|
135 | // Sanitizes the input node and its children
|
---|
136 | // It only keeps what is allowed from our whitelist defined above
|
---|
137 | //
|
---|
138 | // Parameters:
|
---|
139 | // node - The DOM element to be checked, will also check its children
|
---|
140 | svgedit.sanitize.sanitizeSvg = function(node) {
|
---|
141 | // we only care about element nodes
|
---|
142 | // automatically return for all comment, etc nodes
|
---|
143 | // for text, we do a whitespace trim
|
---|
144 | if (node.nodeType == 3) {
|
---|
145 | node.nodeValue = node.nodeValue.replace(/^\s+|\s+$/g, "");
|
---|
146 | // Remove empty text nodes
|
---|
147 | if(!node.nodeValue.length) node.parentNode.removeChild(node);
|
---|
148 | }
|
---|
149 | if (node.nodeType != 1) return;
|
---|
150 | var doc = node.ownerDocument;
|
---|
151 | var parent = node.parentNode;
|
---|
152 | // can parent ever be null here? I think the root node's parent is the document...
|
---|
153 | if (!doc || !parent) return;
|
---|
154 |
|
---|
155 | var allowedAttrs = svgWhiteList_[node.nodeName];
|
---|
156 | var allowedAttrsNS = svgWhiteListNS_[node.nodeName];
|
---|
157 |
|
---|
158 | // if this element is allowed
|
---|
159 | if (allowedAttrs != undefined) {
|
---|
160 |
|
---|
161 | var se_attrs = [];
|
---|
162 |
|
---|
163 | var i = node.attributes.length;
|
---|
164 | while (i--) {
|
---|
165 | // if the attribute is not in our whitelist, then remove it
|
---|
166 | // could use jQuery's inArray(), but I don't know if that's any better
|
---|
167 | var attr = node.attributes.item(i);
|
---|
168 | var attrName = attr.nodeName;
|
---|
169 | var attrLocalName = attr.localName;
|
---|
170 | var attrNsURI = attr.namespaceURI;
|
---|
171 | // Check that an attribute with the correct localName in the correct namespace is on
|
---|
172 | // our whitelist or is a namespace declaration for one of our allowed namespaces
|
---|
173 | if (!(allowedAttrsNS.hasOwnProperty(attrLocalName) && attrNsURI == allowedAttrsNS[attrLocalName] && attrNsURI != xmlnsns) &&
|
---|
174 | !(attrNsURI == xmlnsns && nsMap_[attr.nodeValue]) )
|
---|
175 | {
|
---|
176 | // TODO(codedread): Programmatically add the se: attributes to the NS-aware whitelist.
|
---|
177 | // Bypassing the whitelist to allow se: prefixes. Is there
|
---|
178 | // a more appropriate way to do this?
|
---|
179 | if(attrName.indexOf('se:') == 0) {
|
---|
180 | se_attrs.push([attrName, attr.nodeValue]);
|
---|
181 | }
|
---|
182 | node.removeAttributeNS(attrNsURI, attrLocalName);
|
---|
183 | }
|
---|
184 |
|
---|
185 | // Add spaces before negative signs where necessary
|
---|
186 | if(svgedit.browser.isGecko()) {
|
---|
187 | switch ( attrName ) {
|
---|
188 | case "transform":
|
---|
189 | case "gradientTransform":
|
---|
190 | case "patternTransform":
|
---|
191 | var val = attr.nodeValue.replace(/(\d)-/g, "$1 -");
|
---|
192 | node.setAttribute(attrName, val);
|
---|
193 | }
|
---|
194 | }
|
---|
195 |
|
---|
196 | // for the style attribute, rewrite it in terms of XML presentational attributes
|
---|
197 | if (attrName == "style") {
|
---|
198 | var props = attr.nodeValue.split(";"),
|
---|
199 | p = props.length;
|
---|
200 | while(p--) {
|
---|
201 | var nv = props[p].split(":");
|
---|
202 | // now check that this attribute is supported
|
---|
203 | if (allowedAttrs.indexOf(nv[0]) >= 0) {
|
---|
204 | node.setAttribute(nv[0],nv[1]);
|
---|
205 | }
|
---|
206 | }
|
---|
207 | node.removeAttribute('style');
|
---|
208 | }
|
---|
209 | }
|
---|
210 |
|
---|
211 | $.each(se_attrs, function(i, attr) {
|
---|
212 | node.setAttributeNS(se_ns, attr[0], attr[1]);
|
---|
213 | });
|
---|
214 |
|
---|
215 | // for some elements that have a xlink:href, ensure the URI refers to a local element
|
---|
216 | // (but not for links)
|
---|
217 | var href = svgedit.utilities.getHref(node);
|
---|
218 | if(href &&
|
---|
219 | ["filter", "linearGradient", "pattern",
|
---|
220 | "radialGradient", "textPath", "use"].indexOf(node.nodeName) >= 0)
|
---|
221 | {
|
---|
222 | // TODO: we simply check if the first character is a #, is this bullet-proof?
|
---|
223 | if (href[0] != "#") {
|
---|
224 | // remove the attribute (but keep the element)
|
---|
225 | svgedit.utilities.setHref(node, "");
|
---|
226 | node.removeAttributeNS(xlinkns, "href");
|
---|
227 | }
|
---|
228 | }
|
---|
229 |
|
---|
230 | // Safari crashes on a <use> without a xlink:href, so we just remove the node here
|
---|
231 | if (node.nodeName == "use" && !svgedit.utilities.getHref(node)) {
|
---|
232 | parent.removeChild(node);
|
---|
233 | return;
|
---|
234 | }
|
---|
235 | // if the element has attributes pointing to a non-local reference,
|
---|
236 | // need to remove the attribute
|
---|
237 | $.each(["clip-path", "fill", "filter", "marker-end", "marker-mid", "marker-start", "mask", "stroke"],function(i,attr) {
|
---|
238 | var val = node.getAttribute(attr);
|
---|
239 | if (val) {
|
---|
240 | val = svgedit.utilities.getUrlFromAttr(val);
|
---|
241 | // simply check for first character being a '#'
|
---|
242 | if (val && val[0] !== "#") {
|
---|
243 | node.setAttribute(attr, "");
|
---|
244 | node.removeAttribute(attr);
|
---|
245 | }
|
---|
246 | }
|
---|
247 | });
|
---|
248 |
|
---|
249 | // recurse to children
|
---|
250 | i = node.childNodes.length;
|
---|
251 | while (i--) { svgedit.sanitize.sanitizeSvg(node.childNodes.item(i)); }
|
---|
252 | }
|
---|
253 | // else, remove this element
|
---|
254 | else {
|
---|
255 | // remove all children from this node and insert them before this node
|
---|
256 | // FIXME: in the case of animation elements this will hardly ever be correct
|
---|
257 | var children = [];
|
---|
258 | while (node.hasChildNodes()) {
|
---|
259 | children.push(parent.insertBefore(node.firstChild, node));
|
---|
260 | }
|
---|
261 |
|
---|
262 | // remove this node from the document altogether
|
---|
263 | parent.removeChild(node);
|
---|
264 |
|
---|
265 | // call sanitizeSvg on each of those children
|
---|
266 | var i = children.length;
|
---|
267 | while (i--) { svgedit.sanitize.sanitizeSvg(children[i]); }
|
---|
268 |
|
---|
269 | }
|
---|
270 | };
|
---|
271 |
|
---|
272 | })();
|
---|
273 |
|
---|