Utils | Text: Sanitizing SVG code before parsing

#0

packages/ts/package.json

@@ -56,6 +56,7 @@
     "@types/d3": "^7.4.0",
     "@types/d3-collection": "^1.0.10",
     "@types/d3-sankey": "^0.11.2",
+    "@types/dompurify": "^3.0.2",
     "@types/geojson": "^7946.0.8",
     "@types/leaflet": "1.7.6",
     "@types/supercluster": "^5.0.2",
@@ -71,6 +72,7 @@
     "d3-geo-projection": "^4.0.0",
     "d3-interpolate-path": "^2.2.3",
     "d3-sankey": "^0.12.3",
+    "dompurify": "^3.0.5",
     "elkjs": "^0.8.2",
     "geojson": "^0.5.0",
     "leaflet": "1.7.1",

packages/ts/src/utils/text.ts

@@ -1,5 +1,6 @@
 import { Selection } from 'd3-selection'
 import { sum } from 'd3-array'
+import { sanitize } from 'dompurify'
 
 // Types
 import { TextAlign, TrimMode, UnovisText, UnovisTextFrameOptions, UnovisTextOptions, UnovisWrappedText, VerticalAlign } from 'types/text'
@@ -485,7 +486,8 @@ export function renderTextToSvgTextElement (
   textElement.textContent = ''
   wrappedText.forEach(block => {
     const svgCode = renderTextToTspanStrings([block], x, y).join('')
-    const parsedSvgCode = parser.parseFromString(svgCode, 'image/svg+xml').firstChild
+    const svgCodeSanitized = sanitize(svgCode)
+    const parsedSvgCode = parser.parseFromString(svgCodeSanitized, 'image/svg+xml').firstChild
     textElement.appendChild(parsedSvgCode)
   })
 }
@@ -532,7 +534,8 @@ export function renderTextIntoFrame (
   </text>`
 
   const parser = new DOMParser()
-  const parsedSvgCode = parser.parseFromString(svgCode, 'image/svg+xml').firstChild
+  const svgCodeSanitized = sanitize(svgCode)
+  const parsedSvgCode = parser.parseFromString(svgCodeSanitized, 'image/svg+xml').firstChild
 
   group.textContent = ''
   group.appendChild(parsedSvgCode)