Icons Registry: improve SVG sanitizer

[t-hamano]

• Follow-up on SVG Icon registration API  #72215
• See SVG Icon registration API  #72215 (comment)

What?

In the experimental icon registry, any string can be registered as SVG content. Unfortunately, there is still no core function to properly sanitize SVGs, so we've enhanced the private methods for sanitization and defined as many SVG-friendly tags and attributes as possible.

Testing Instructions

Please refer to the unit test to see what the function expects.

[t-hamano]

wp_kses() removes disallowed tags but not the text inside them, so I added a logic that returns an empty string if the tag is not an SVG element.

[t-hamano]

I was surprised to see wp_kses() convert camel case attribute names (viewBox) to lower case (viewbox). Lower-case attribute names should be recognized correctly by most browsers, but I'm not sure if this should be allowed.

cc @dmsnell @sirreal

[t-hamano]

As far as I've tested, lowercase viewbox is automatically recognized as viewBox by major browsers, so as long as we're using inline SVG as HTML content, we shouldn't have any problems.

<!DOCTYPE html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" width="100">
  <rect x="0" y="0" width="100%" height="100%" />
  <circle cx="50%" cy="50%" r="4" fill="white" />
</svg>
<svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 100 100" width="100">
  <rect x="0" y="0" width="100%" height="100%" />
  <circle cx="50%" cy="50%" r="4" fill="white" />
</svg>

</body>
</html>

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: t-hamano <wildworks@git.wordpress.org>
Co-authored-by: tyxla <tyxla@git.wordpress.org>
Co-authored-by: sirreal <jonsurrell@git.wordpress.org>
Co-authored-by: westonruter <westonruter@git.wordpress.org>
Co-authored-by: dmsnell <dmsnell@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[dmsnell]

@t-hamano this seems like a good improvement since it retains the structure of the existing sanitization while adding extra attributes. did you verify that none of the newly-allowed attributes allows for script execution?

one note here is that SVG is complicated to parse, and even the search for <svg\b seems a bit suspicious. the HTML Processor can parse all valid inline SVGs, and one thing that might be useful here is to prepare the input using that and then dump the output into kses after normalization, where things that seem sneaky might be less prone to issues in kses.

$svg = '';
$processor = WP_HTML_Processor::create_fragment( $icon_content );
if ( ! $processor->next_token() || 'SVG' !== $processor->get_tag() ) {
	return '';
}

$svg .= $processor->serialize_token();
$svg_depth = $processor->get_current_depth();
while ( $processor->next_token() && $processor->get_current_depth() > $svg_depth ) {
	$svg .= $processor->serialize_token();
}

// Parsing has stopped even though there might be additional content.
$filtered = wp_kses( ... )

This could also be done after filtering with wp_kses() as it’s likely to corrupt the SVG, but normalizing first should help avoid a lot of problems. For instance, wp_kses() will be unaware of this but a single <p> terminates the SVG element. In fact, many tags that appear within inline SVG will end it and jump back into HTML. If we first extract the SVG in its entirety with the HTML Processor then we wouldn’t have to consider this.

Unfortunately there could be issues with self-closing tags, which exist within the SVG content but otherwise not in the HTML. In HTML, <svg/> is an entire SVG element, even though HTML contains no self-closing tags (the <svg/> tag is actually an SVG tag so the self-closing rule applies).

sticking with wp_kses() is appropriate apart from all of this. I have proposed dmsnell/wordpress-develop#20 and several other changes that will feed up into wp_kses() (WordPress/wordpress-develop#7409, WordPress/wordpress-develop#9270, and WordPress/wordpress-develop#9851 for example), so ultimately that should become more reliable.

for gradual improvement I think this is good as long as we have a thorough review of the attributes and tags we’re allowing.

[tyxla]

This appears to be using the elements and attributes from my earlier comment, can you confirm?

Would be nice to validate those, as I haven't gone in-depth in that, and there are plenty of elements and attributes that SVGs can support. Also we know that any KSES-related changes shouldn't be taken lightly 😉

[t-hamano]

Sorry for the late reply. I'm working with @mcsf to build the infrastructure to allow the Icon API to be extended on the Gutenberg plugin. If that works out, I'll come back to this PR.

[github-actions]

Flaky tests detected in e39539b.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/27810208343
📝 Reported issues:

• [Flaky Test] does not dirty related template parts or navigation menus when rendered in the post editor #79294 in /test/e2e/specs/editor/blocks/navigation-passive-rendering.spec.js

[westonruter]

What about #cdata-section?

I also wondered about the XML Processing Instruction, whether this would be interpreted as #funky-comment. But it doesn't seem so.

Also, it seems the #doctype token type doesn't come through. It is parsed as a comment.

See PHP Playground

[t-hamano]

I also wondered about the XML Processing Instruction, whether this would be interpreted as #funky-comment. But it doesn't seem so.

Also, it seems the #doctype token type doesn't come through. It is parsed as a comment.

As I understand it, this might be an expected behavior. Quoting from #75550 (comment):

the HTML Processor is parsing SVGs as they would appear inline in HTML.

[sirreal]

What about #cdata-section?

This block ignores some allowed content before the <svg> tag or reject the entire content.

This really depends on how strict things are expected to be. The fragment parser starts in HTML where CDATA cannot appear. "CDATA sections" are actually comments at this point.

I don't know how valuable it is to be more strict at this point, we could do things like only allow the <?xml … ?> which the HTML API recognizes as COMMENT_AS_PI_NODE_LOOKALIKE-type comment with an xml tag name, but this just seems like noise.

I'm undecided, but I'd like this section to either become more strict or to become more relaxed.

A strict implementation would rigorously reject anything that doesn't conform to expectations:

<?xml … ?> (optional)
<!DOCTYPE svg …> (optional)
<svg>…</svg> (REQUIRED)
--- nothing else ---

Processing this requires the full HTML processor and needs to look for a tree like this:

├─#comment(COMMENT_AS_PI_NODE_LOOKALIKE)
│ └─xml  
├─DOCTYPE: svg
└─HTML
  ├─HEAD
  └─BODY
    └─svg:svg
      └─#text …

A more relaxed implementation could just call $processor->next_tag( 'SVG' ) and proceed, ignoring any surrounding content.

Right now, I'm leaning towards the relaxed implementation, but I can understand arguments for the strict version.

[t-hamano]

Right now, I'm leaning towards the relaxed implementation, but I can understand arguments for the strict version.

I don't have a strong opinion, but if #77260 allowed custom icon registration, consumers would likely try to register SVG icons in various formats. In that case, a relaxed version would be more acceptable.

I modified the logic in f4c78d9. This commit also includes alignment of unit test data.

[sirreal]

What about #cdata-section?

This block ignores some allowed content before the <svg> tag or reject the entire content.

This really depends on how strict things are expected to be. The fragment parser starts in HTML where CDATA cannot appear. "CDATA sections" are actually comments at this point.

I don't know how valuable it is to be more strict at this point, we could do things like only allow the <?xml … ?> which the HTML API recognizes as COMMENT_AS_PI_NODE_LOOKALIKE-type comment with an xml tag name, but this just seems like noise.

I'm undecided, but I'd like this section to either become more strict or to become more relaxed.

A strict implementation would rigorously reject anything that doesn't conform to expectations:

<?xml … ?> (optional)
<!DOCTYPE svg …> (optional)
<svg>…</svg> (REQUIRED)
--- nothing else ---

Processing this requires the full HTML processor and needs to look for a tree like this:

├─#comment(COMMENT_AS_PI_NODE_LOOKALIKE)
│ └─xml  
├─DOCTYPE: svg
└─HTML
  ├─HEAD
  └─BODY
    └─svg:svg
      └─#text …

A more relaxed implementation could just call $processor->next_tag( 'SVG' ) and proceed, ignoring any surrounding content.

Right now, I'm leaning towards the relaxed implementation, but I can understand arguments for the strict version.

[sirreal]

As implemented, I don't think this is a problem because a preceding <math> tag would be rejected. However, if we relax this to use ->next_tag( 'SVG' ) and proceed, it could find <math><svg> (an SVG element in the math namespace).

It would be good to check that this is an SVG tag in the svg namespace to prevent this kind of issue.

[t-hamano]

Fixed in f203e7d