CVE-2020-27428: Remove lots of event handlers · LLK/scratch-svg-renderer@7c74ec7

@@ -50,8 +50,21 @@ module.exports = function (svgString) { // Empty script tags and javascript executing svgString = svgString.replace(/<script[\s\S]*>[\s\S]*<\/script>/, ‘<script></script>’);
// Remove error handlers svgString = svgString.replace(/onerror=[\s\S]*['"].*?['"]/i, ‘’); // Remove event handlers const eventNames = [ 'onbegin’, 'onend’, 'onrepeat’, 'onabort’, 'onerror’, 'onresize’, 'onscroll’, 'onunload’, 'oncopy’, 'oncut’, 'onpaste’, 'oncancel’, 'oncanplay’, 'oncanplaythrough’, 'onchange’, 'onclick’, 'onclose’, 'oncuechange’, 'ondblclick’, 'ondrag’, 'ondragend’, 'ondragenter’, 'ondragexit’, 'ondragleave’, 'ondragover’, 'ondragstart’, 'ondrop’, 'ondurationchange’, 'onloadeddata’, 'onloadedmetadata’, 'onloadstart’, 'onmousedown’, 'onmouseenter’, 'onmouseleave’, 'onmousemove’, 'onemptied’, 'onended’, 'onerror’, 'onfocus’, 'oninput’, 'oninvalid’, 'onkeydown’, 'onkeypress’, 'onkeyup’, 'onload’, 'onmouseout’, 'onmouseover’, 'onmouseup’, 'onmousewheel’, 'onpause’, 'onplay’, 'onplaying’, 'onprogress’, 'onratechange’, 'onreset’, 'onresize’, 'onscroll’, 'onseeked’, 'onseeking’, 'onselect’, 'onshow’, 'onstalled’, 'onsubmit’, 'onsuspend’, 'ontimeupdate’, 'ontoggle’, 'onvolumechange’, 'onwaiting’, 'onactivate’, 'onfocusin’, ‘onfocusout’ ]; const eventsRegex = new RegExp(`(${eventNames.join(‘|’)})\\s*=\\s*['"].*['"]`, ‘i’); svgString = svgString.replace(eventsRegex, ‘’);
return svgString; };