If a field containing an inline SVG is passed through views rewrite results the SVG is stripped and mostly removed (normally just leaving the the title left).
The same field containing an inline SVG can be used on a normal node page without being stripped.
Views rewrite uses \Drupal\Component\Utility\Xss::filterAdmin() which has protected strings of protected static $adminTags = array('a', 'abbr', 'acronym', 'address', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'command', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em', 'figcaption', 'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'mark', 'menu', 'meter', 'nav', 'ol', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'small', 'span', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'tt', 'u', 'ul', 'var', 'wbr');
Adding some SVG specific strings such as those found in the following popular purifiers would allow common SVG markup and keep it safe from XSS.
https://github.com/cure53/DOMPurify/blob/master/src/purify.js
or
https://github.com/darylldoyle/svg-sanitizer/blob/master/src/data/AllowedTags.php
A section (not full list) by way of example of some strings those purifiers allow is:
'accent-height','accumulate','additivive','alignment-baseline', 'ascent','azimuth','baseline-shift','bias','clip','clip-path',
'clip-rule','color','color-interpolation','color-interpolation-filters', 'color-profile','color-rendering','cx','cy','d','dy','dy','direction',
'display','divisor','dur','elevation','end','fill','fill-opacity', 'fill-rule','filter','flood-color','flood-opacity','font-family',
'font-size','font-size-adjust','font-stretch','font-style','font-variant', 'font-weight','image-rendering','in','in2','k1','k2','k3','k4','kerning', 'letter-spacing','lighting-color','local','marker-end','marker-mid',
'marker-start','max','mask','mode','min','offset','operator','opacity', 'order','orient','overflow','paint-order','path','points','r','rx','ry','radius', 'restart','scale','seed','shape-rendering','stop-color','stop-opacity',
'stroke-dasharray','stroke-dashoffset','stroke-linecap','stroke-linejoin', 'stroke-miterlimit','stroke-opacity','stroke','stroke-width','transform', 'text-anchor','text-decoration','text-rendering','u1','u2','viewbox', 'visibility','word-spacing','wrap','writing-mode','x','x1','x2','y', 'y1','y2','z',
The issue can be worked around by simply not passing SVGs through views Rewrite results.
It would be worthwhile confirm that adding common SVG strings to the existing XSS filtering would be safe. Is it?
Are there other HTML elements that are safe to add but which we do not permit? (broaden issue?)
Added some related issues which show the same issue relating to responsive images.
Comment | File | Size | Author |
---|---|---|---|
#26 | core-no-filter-admin-when-rewriting-view-field-output.patch | 771 bytes | beerendlauwers |
#25 | allow_views_rewrite_results_to_include_inline_svgs-2840938-25.patch | 1.66 KB | vensires |
Comments
Comment #2
LendudeSince this is done by XSS::filterAdmin I would say that this is working as designed, so any changes we make would be a new feature.
There are more requests floating around about people trying to get around the restrictions of only using XSS allowed tags, so maybe it would be worthwhile to allow admins to swap out the used filter in some way. Don't know, just thinking out loud.
Comment #3
serg2 CreditAttribution: serg2 commentedYes, there are quite a few open issues about XSS in general. Initially it would be good to establish if adding these is safe. I will take me a while to find good authoritative sources on this but once I do I will add them in here.
Comment #4
serg2 CreditAttribution: serg2 commentedComment #5
serg2 CreditAttribution: serg2 commentedThere was a core issue #2099741: Protect WYSIWYG Editors from XSS Without Destroying User Data which dealt with preventing XSS in Ckeditor. The documentation within the patch is the best information I can find about making user submitted content XSS safe without destroying the content.
It is worth noting that SVGs can be uploaded into WYSIWYG (CKEditor) and used safely because of that patch. It focuses on blacklisting bad, rather than whitelisting good. Some SVG features are stripped but only a few and 'simple' SVGs will get through unharmed.
The core of this issue, allowing SVGs through Views-rewrite results, comes down to:
What is the purpose of the filtering that occurs at the rewrite stage?
It seems like it is 'old code' but it does ensure super safe output. If, for instance, content is being passed though rewrite results which has not previously been filtered it will make it safe.
One solution could be, now that CKeditor is in core, is to use its filter set-up at views rewrite.
That would mean that all the issues that are currently open regarding views rewrite stripping get either fixed or moved into the CKeditor (and the obvious benefits of removing and re-using code).
Should I change this issue to that: "Use CKEditor filtering in views re-write results" ?
Comment #6
Lendudethat might work as long as we don't create a dependency on CKEditor in Views. Haven't looked at what CKEditor does so don't know how viable this is, but somehow being able to switch to different filter settings sounds something that would be attractive for a lot of people.
Comment #12
kenton.r CreditAttribution: kenton.r commentedI just ran into the need of adding an SVG in views rewrite. I would also like to see this feature added.
Comment #14
markdc@kenton.r Ditto that.
Comment #15
marcoka CreditAttribution: marcoka commentedVery important. I use it like that and that will not work in views because stripped out
This is no special custom tag: https://developer.mozilla.org/en-US/docs/Web/SVG/Element/use
Guess i need to hack core again because of a tag.
#2687479: Responsive Image not working in rewritten Views field/area due to XSS filtering
Comment #16
Juc1 CreditAttribution: Juc1 commented@marcoka or anyone - do I still need to hack core to allow the svg tag in my View? If so what do I need to do?
Comment #17
Juc1 CreditAttribution: Juc1 commentedreply to myself - permitted html tags are listed in /core/lib/Drupal/Component/Utility/Xss.php but a better option is to use a views template (such as views-view-fields--my-view-here.html.twig) which has no html restrictions.
Comment #18
marcoka CreditAttribution: marcoka commentedJuc1 yes you need to. DI it today, again.
Comment #21
C13L0 CreditAttribution: C13L0 commentedFollowing this issue as it is a feature that we need.
Comment #24
vensires CreditAttribution: vensires at E-Sepia Web Innovation commentedComment #25
vensires CreditAttribution: vensires at E-Sepia Web Innovation commentedUntil a better solution gets used (ex. override through settings.php or alter hook), I attach a patch which targets the whole Xss class and not Views specifically and adds the SVG and PATH tags to the adminTags array.
I would even consider removing the "views.module" from the issue's "Component" value - either way it's core though it's usually depicted when using views.
Comment #26
beerendlauwers CreditAttribution: beerendlauwers at Netvlies commentedI also encountered this issue. Ideally, there should be another toggle under "Rewrite Results" to skip the
Xss::filterAdmin
filter.For now, I'm using the "Rewrite Results" toggle itself for this purpose. See the attached patch. It was written for Drupal 10.1.4, but it'll probably work on other versions.
Comment #27
vensires CreditAttribution: vensires at E-Sepia Web Innovation commentedWell, I would say that your patch goes to a more opinionated and insecure approach which would work in my scenario too, yes, but it would compromise all views - even if it is not required. From adding two extra tags as allowed to throwing filtering completely out, well there definitely is a gap.
From what I had read in code and comments etc and understood, I would have expected the HTML template coming from Drupal Views UI to be XssAdmin-filtered, yes, but when TWIG is used no extra processing should be done. In that case I could have separate TWIG files in my theme containing the SVG file only and then be able to include these TWIG files from Drupal Views UI textarea - and we should be safe.
When talking about the "Custom" Views Field Plugin, it's more or less easily done, we just have to remove
Xss::filterAdmin(...)
from this:But you did mention the field rewriting functionality in general - which might also be easy too, though I haven't studied that far yet. But in general we should be ok from any security issues since FieldPluginBase::renderText() already does the following (among other things):