Sitecore 10 Rich Text Editor not saving the xLink:href tag while saving SVG image
Problem Statement:
Recently we have done Sitecore upgradation from 9.1 to 10.1. After upgrade we are facing the issue that Sitecore 10 Rich Text Editor not saving the xLink:href tag while saving the SVG image from the content editor. It is perfectly working fine in our Sitecore 9.1 CMS.
We also did all the known necessary changes in configuration. But still the below SVG image was not saved properly.
<svg id="whatsnew-down-arrow" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="165" height="165" viewBox="0 0 165 165">
<defs>
<style>
#whatsnew-down-arrow .cls-1, #whatsnew-down-arrow .cls-2 {
fill: #d94029;
}
#whatsnew-down-arrow .cls-1 {
opacity: 0.23;
}
</style>
</defs>
<circle class="cls-1" cx="82.5" cy="82.5" r="82.5"/>
<circle id="Ellipse_1_copy" data-name="Ellipse 1 copy" class="cls-2" cx="82.5" cy="82.499" r="74.781"/>
<image x="31" y="35" width="103" height="95" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGcAAABfCAYAAAD1aNk5AAAHlUlEQVR4nO3de4xdVRXH8c/MlGmhptKxCLVUa7RVCPigPkJAW4JoYlTwge+0RolEUNQUWsQobX1AUYIpFmuiBrSo+EpJjIkPQomaKibVAgmImiZQplRra2NLnbaw/WPd69Rh2nncc+7Zd+Z8k0mT6dy11jm/e87Ze5+11u5KKelQpuHFWIBT0YdeHMRubMfDeAj/qSjGlphSdQDjYDouxTswC8cLUXrQhYQnhUgHsAs/wno8UUG846arw66cN2AZXoKTx/C5nbgPN+LnJcRVCp105bwfVwlhxsrJuKDx70nYUGBcpdEpV87FWIPnF2BrG1bghwXYKpVOEOdl+DbOLNDm/ViCPxVos3C6qw5gBHpxDc4o2O4ZDbtTC7ZbKLmLsxCvEqOwIulq2F1YsN1CyV2ci3BiSbZPxIUl2S6E3MV5BWaUZHtGw3625C7OCxR/S2vS1bCfLbmLM63D7bdE7uI81eH2WyJ3cSY1tTgZU4uTMbU4GVOLkzG1OBlTi5MxtTgZU4uTMbU4GVOLkzG1OBlTi5MxtTgZU4uTMbU4GVOLkzG1OBlTi5MxtTgZU4uTMbU4GVOLkzGjKZ46S5RfnGIwb3kP/i6qxbaUE9qE4CxR7PVszGz87l94XJShHPPcHU2cOXgXXiOKYWeJWsxmycSAqK/chUfxG3wfj43zICYSc/BunIu54tyd4P/P3X5x7rbj17jDMOduuOKpJSL7/jyDao/EHmzCj3H7qA9jZPoxu0B7Q9mB5xRo732ikHiRsZ27u3GnKBIbJKXU/JmZUrompbQzjZ8dKaUrU0p9R9ht5ae/hVhGQ39BcT4rpXRViuMfLztTnP+ZTbtN430ppZUtGB7KdSmlean1g+4EceallK4vMKaVqSGQlNK0lNIlBRpvsi6ltCCl1J0mpjjdjeO7pYS4PpRSmjoFr8by4m67/+MyMUpZhQdF44aJQg9Ow0q8vQT7y/GXbpyDF5bgAN6Km0RF9ETi5fiKKIssg/k4txuLlVc91oPX4macX5KPdnM+1orj6inJRxcWdyu/orhX3DrXiGYPncw7cYM4nuNK9rVwiui2VDbNL8FKUSj7zTb4LJpL8Emc3iZ/fe3ufXO6EOgE3KIzBgk9uFw8pOe003EVjYlOFbeG4/EN0RstV/rEFbNKBcW9U3BI+ffPoUwTz6AZ+Jo81+Tm4CP4dEX+D3XjrxU5Jw58BZ6rvBHjWOkS8axQnTDwt278vsIA4GP4Ip6neoG6MA/Xibiq5HfdYjW5ai4Wc6H5FccxX8xhchjyb+rGXbit4kB6RSfB9WLFogrOafi/QPufwUO5FXd1i4fxV3FvpeHEy6hFYiT3lsbvyh5qN+2/ueF3kep7sN2LdXisucLak1I6P6W0uYQV1vGwJaW0JKW0u2Q/uxt+tpTsZ7RsTqFDT0rpaW9CF4kOfq+v4iszhO3iLWhZ61fElbNDzL2q5pf4Au5p/mLoJPQe8dp0H94kngVV0Y4T1tMmP8fiIH6K1dh65H8crQHrbHEPvgjPKDu6Scw+bBRzqv6h/3m0vLUd4mXZBh3WxbyDeEKc38sMIwzHTir8t+h+vrb4uGrEeV0mzvOwjKav9HSh7g3FxTXpWS7WFPcd649G2/T7meJF01qZt17MnAFcIZII9470x6PNld6L74jdN4a9P9aMSD8+LBIHRxSG8bXLfxs+i5eO9YOTmK1iqPyTsXxovHsZvBFXipTdmmNzN76Mn431g61sNHG2eN/xOtWvR+XIAH4lZv2bx2Og1V1AFuDz4kqa3oqhCcZ+caV8Bn8er5FWi6cexidE+cdAi7YmCgPifHxcC8JQzP45XaIGZZlYhpjsrBHbj+0S+8eNmyI3NzoJH8T1RRnsQK7Gt/CPIowVvfNUn6iIu8nkGiQcFLf3OxSY6lXGtmBTDe6xVmTVWK70G9wDrtDnbhnV1ANitfUKPFCC/Zx4QBznBiUMiMreUO9C8a06u0wnFbFZ3B3uLMtBO3Y7XIxrRXZL1VktRXAIvxUpupvKdNSurSjPFKO480SOdKdyQCzHXC36CJRKuzp43C8y9TficJt8Fs1hEf/l2iAM7W2v8oh4/qxvo88i+bq4Yh5pl8MqdtidIyarq9vtuAWuFQVfba2GqGr74z68VzyHcl4w3S+ulu+qoI6oyr2pe0U7ktWqzx0bju3ipeLtYgWg7eSwcfh7xNL6aVUHcgQP4nP4XpVB5CAOkby4SrS/qpr7xDNmY9WB5CIOMVn9kuhRVkWTvqfwR/H6fVMF/p9GTuIQSSPr8ErtzdM+iD+IOczWEf62beTWRnIrloqCrnZ9a1LD31IZCUN+4sA2kR+3oU3+NjT8bWuTv1GT223tSGbjoyJ1tYx+CU+KFOObReJ+duQsDtES7AP4lMHmr0WwV1Rw3yoayWZJ7uIQ9UFLxEx9bgH2HhXvYW4zQiJ51XSCOE2WisZAraQBbxX5DVVXj4+KThKHqFVdJiarp4zhc4+LyeWN+EUJcZVCp4lDvKy7VJSkzBIlKb1i0NAlhsaHxdzlAP6JH4gl/wMVxDtuOlGcJr14UeNnrujjfJx4jbxHPFseElmplSxctsp/AY08bZuj0etGAAAAAElFTkSuQmCC"/>
</svg>
Solution:
We had a discussion with Sitecore support and as per Sitecore support the reported behavior is expected. Sitecore removed attributes with a value that contains "base64" string OOB. Such strings have been considered as dangerous and might contain javascript code. According to the links below, having base64 data in some cases is not secure:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://html5sec.org/
You can save base64 images into RTE fields after disabling the HtmlEditor.RemoveScripts setting in the Sitecore.config file:
<setting name="HtmlEditor.RemoveScripts" value="false" />
However, please note that this will allow users to save javascript into the RTE field too.
very tricky and it worked for me
ReplyDelete