fix: handle cornercase when sanitizing style properties

KManolov3 · KManolov3 · commit 401f9afc6196 · 2025-04-28T11:58:17.000+03:00
diff --git a/packages/scratch-svg-renderer/src/sanitize-svg.js b/packages/scratch-svg-renderer/src/sanitize-svg.js
@@ -18,7 +18,7 @@ DOMPurify.addHook(
             const href = currentNode.href.baseVal.replace(/\s/g, '');
             // "data:" and "#" are valid hrefs
             if (!isInternalRef(href)) {
-
+                // TODO: Those can be in different namespaces than `xlink:`
                 if (currentNode.attributes.getNamedItem('xlink:href')) {
                     currentNode.attributes.removeNamedItem('xlink:href');
                     delete currentNode['xlink:href'];
@@ -67,16 +67,21 @@ DOMPurify.addHook(
                 
                 // Elements using url(...) for external resources
                 if (astNode.type === 'Declaration' && astNode.value) {
+                    let shouldRemove = false;
                     walk(astNode.value, valueNode => {
                         if (valueNode.type === 'Url') {
                             const urlValue = (valueNode.value.value || '').trim().replace(/['"]/g, '');
     
                             if (!isInternalRef(urlValue)) {
-                                list.remove(item);
-                                isModified = true;
+                                shouldRemove = true;
                             }
                         }
                     });
+
+                    if (shouldRemove) {
+                        list.remove(item);
+                        isModified = true;
+                    }
                 }
             });
 
diff --git a/packages/scratch-svg-renderer/test/fixtures/css-links.sanitized.svg b/packages/scratch-svg-renderer/test/fixtures/css-links.sanitized.svg
@@ -11,6 +11,12 @@
 
     <circle mask="url(#myMask)"></circle>
 
+    <circle></circle>
+    <circle></circle>
+
+    <rect></rect>
+    <rect></rect>
+
     <style>.url{fill:url(#myMask);stroke:url(#myMask);background-image:url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA")}.url .inner-2{}</style>
 
     <rect class="url"></rect>
diff --git a/packages/scratch-svg-renderer/test/fixtures/css-links.svg b/packages/scratch-svg-renderer/test/fixtures/css-links.svg
@@ -11,6 +11,12 @@
 
     <circle mask="url(#myMask)" />
 
+    <circle fill="url(https://example.com/using-circle-fill-attribute)" />
+    <circle style="fill: url(https://example.com/using-circle-fill-inline-style)" />
+
+    <rect stroke="url(https://example.com/using-rect-stroke-attribute)" />
+    <rect style="stroke: url(https://example.com/using-rect-fill-inline-style)" />
+
     <style>
         .url {
             fill: url(#myMask);
@@ -32,7 +38,7 @@
     <style>
         @font-face {
             font-family: 'ExternalFont';
-            src: url("https://example.com/fonts/ExternalFont.woff2") format('woff2');
+            src: url(https://example.com/using-font-face.woff) format(woff), url(https://example.com/using-font-face.woff2) format(woff2);
         }
         @font-face {
             font-family: 'DataFont';
