From 750a659a9fee7687e667d9d755e17b8a0c77d557 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Thu, 25 Sep 2025 14:29:50 -0500
Subject: [PATCH] security: svg xss fix

---
 src/lib/components/common/SVGPanZoom.svelte | 40 ++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/lib/components/common/SVGPanZoom.svelte b/src/lib/components/common/SVGPanZoom.svelte
index 110878d62e..aaeb26dac9 100644
--- a/src/lib/components/common/SVGPanZoom.svelte
+++ b/src/lib/components/common/SVGPanZoom.svelte
@@ -49,7 +49,45 @@
 
 <div bind:this={sceneParentElement} class="relative {className}">
 	<div bind:this={sceneElement} class="flex h-full max-h-full justify-center items-center">
-		{@html svg}
+		{@html DOMPurify.sanitize(svg, {
+			USE_PROFILES: { svg: true, svgFilters: true }, // allow <svg>, <defs>, <filter>, etc.
+			WHOLE_DOCUMENT: false,
+			ADD_TAGS: ['style', 'foreignObject'], // include foreignObject if using HTML labels
+			ADD_ATTR: [
+				'class',
+				'style',
+				'id',
+				'data-*',
+				'viewBox',
+				'preserveAspectRatio',
+				// markers / arrows
+				'markerWidth',
+				'markerHeight',
+				'markerUnits',
+				'refX',
+				'refY',
+				'orient',
+				// hrefs (for gradients, markers, etc.)
+				'href',
+				'xlink:href',
+				// text positioning
+				'dominant-baseline',
+				'text-anchor',
+				// pattern / clip / mask units
+				'clipPathUnits',
+				'filterUnits',
+				'patternUnits',
+				'patternContentUnits',
+				'maskUnits',
+				// a11y niceties
+				'role',
+				'aria-label',
+				'aria-labelledby',
+				'aria-hidden',
+				'tabindex'
+			],
+			SANITIZE_DOM: true
+		})}
 	</div>
 
 	{#if content}