From 3f34fd587d6855e29c2ac7c8a68a0f9c40f033e6 Mon Sep 17 00:00:00 2001 From: Alquen Sarmiento Date: Tue, 19 May 2026 13:21:49 +0800 Subject: [PATCH 1/2] fix: sanitize SVG without HTML reparsing --- src/plugins/page-icons/page-icons.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/plugins/page-icons/page-icons.js b/src/plugins/page-icons/page-icons.js index bbd55d5fd..691023a58 100644 --- a/src/plugins/page-icons/page-icons.js +++ b/src/plugins/page-icons/page-icons.js @@ -1,6 +1,5 @@ import './store' import { useSelect } from '@wordpress/data' -import { safeHTML } from '@wordpress/dom' /** * Parse SVG string to extract attributes and innerHTML without DOM manipulation @@ -43,6 +42,11 @@ const parseSVGString = svgString => { rawInnerSVG = rawInnerSVG.replace( /\s[\w-]+:[\w-]+='[^']*'/g, '' ) rawInnerSVG = rawInnerSVG.replace( /\s[\w-]+:[\w-]+=[^\s"'=<>`]+/g, '' ) + // Mimic safeHTML's event handler cleanup without parsing the SVG as HTML. + rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+="[^"]*"/gi, '' ) + rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+='[^']*'/gi, '' ) + rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+=[^\s"'=<>`]+/gi, '' ) + // Remove href/data-href/src attributes containing data: uris rawInnerSVG = rawInnerSVG.replace( /\s(?:href|data-href|src)\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi, @@ -58,8 +62,6 @@ const parseSVGString = svgString => { } ) - const innerHTML = safeHTML( rawInnerSVG ) - // Extract attributes from the SVG tag const svgAttributes = {} const attributesPart = svgTag.replace( /^$/, '' ) @@ -71,7 +73,7 @@ const parseSVGString = svgString => { const key = attrMatch[ 1 ] const attrNameLower = key.toLowerCase() // Skip width and height as symbols don't need them - if ( attrNameLower !== 'width' && attrNameLower !== 'height' ) { + if ( attrNameLower !== 'width' && attrNameLower !== 'height' && ! attrNameLower.startsWith( 'on' ) ) { // Value can be in double quotes, single quotes, or unquoted const value = attrMatch[ 2 ] || attrMatch[ 3 ] || attrMatch[ 4 ] || '' svgAttributes[ key ] = value @@ -79,7 +81,7 @@ const parseSVGString = svgString => { } } - return { attributes: svgAttributes, innerHTML } + return { attributes: svgAttributes, innerHTML: rawInnerSVG } } export const PageIcons = () => { From cfefd3be503269493216e2934ad6b1dc18163096 Mon Sep 17 00:00:00 2001 From: Alquen Sarmiento Date: Tue, 19 May 2026 13:46:17 +0800 Subject: [PATCH 2/2] fix: allow optional spaces --- src/plugins/page-icons/page-icons.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/plugins/page-icons/page-icons.js b/src/plugins/page-icons/page-icons.js index 691023a58..5f9bd4d5f 100644 --- a/src/plugins/page-icons/page-icons.js +++ b/src/plugins/page-icons/page-icons.js @@ -43,9 +43,9 @@ const parseSVGString = svgString => { rawInnerSVG = rawInnerSVG.replace( /\s[\w-]+:[\w-]+=[^\s"'=<>`]+/g, '' ) // Mimic safeHTML's event handler cleanup without parsing the SVG as HTML. - rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+="[^"]*"/gi, '' ) - rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+='[^']*'/gi, '' ) - rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+=[^\s"'=<>`]+/gi, '' ) + rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+\s*=\s*"[^"]*"/gi, '' ) + rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+\s*=\s*'[^']*'/gi, '' ) + rawInnerSVG = rawInnerSVG.replace( /\son[\w-]+\s*=\s*[^\s"'=<>`]+/gi, '' ) // Remove href/data-href/src attributes containing data: uris rawInnerSVG = rawInnerSVG.replace(