From caa127cd53b4bf232865717bcc87b0d79fd3a341 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Mon, 24 Nov 2025 21:04:44 +0000
Subject: [PATCH] disallow xref/xhref in SVGs

Signed-off-by: Andy Miller <rhuk@mac.com>
---
 system/src/Grav/Common/Security.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index cfb3c8572..c7c6f4d5e 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -51,6 +51,7 @@ class Security
     {
         if (Grav::instance()['config']->get('security.sanitize_svg')) {
             $sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
+            $sanitizer->addDisallowedAttributes(['href', 'xlink:href']);
             $sanitized = $sanitizer->sanitize($svg);
             if (is_string($sanitized)) {
                 $svg = $sanitized;
@@ -70,6 +71,7 @@ class Security
     {
         if (file_exists($file) && Grav::instance()['config']->get('security.sanitize_svg')) {
             $sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
+            $sanitizer->addDisallowedAttributes(['href', 'xlink:href']);
             $original_svg = file_get_contents($file);
             $clean_svg = $sanitizer->sanitize($original_svg);