| 136 | } |
| 137 | |
| 138 | function checkSVGContent(content) { |
| 139 | const $ = cheerio.load(content) |
| 140 | const disallowedTagNames = new Set(['script', 'object', 'iframe', 'embed']) |
| 141 | $('*').each((i, element) => { |
| 142 | const { tagName } = element |
| 143 | if (disallowedTagNames.has(tagName)) { |
| 144 | throw new Error(`contains a <${tagName}> tag`) |
| 145 | } |
| 146 | for (const key in element.attribs) { |
| 147 | // Looks for suspicious event handlers on tags. |
| 148 | // For example `<path oNload="alert(1)"" d="M28 0l4.59 4.59-9.76` |
| 149 | // We don't need to do a case-sensitive regex here because cheerio |
| 150 | // will have normalized all the element attribute keys to lowercase. |
| 151 | if (/(\\x[a-f0-9]{2}|\b)on\w+/.test(key)) { |
| 152 | throw new Error(`<${tagName}> contains an unsafe attribute: '${key}'`) |
| 153 | } |
| 154 | } |
| 155 | }) |
| 156 | } |