Sitecore 10 Rich Text Editor not saving the xLink:href tag while saving SVG image


Problem Statement:

Recently we have done Sitecore upgradation from 9.1 to 10.1. After upgrade we are facing the issue that Sitecore 10 Rich Text Editor not saving the xLink:href tag while saving the SVG image from the content editor. It is perfectly working fine in our Sitecore 9.1 CMS.

We also did all the known necessary changes in configuration. But still the below SVG image was not saved properly.

<svg id="whatsnew-down-arrow" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="165" height="165" viewBox="0 0 165 165">
<defs>
<style>
#whatsnew-down-arrow .cls-1, #whatsnew-down-arrow .cls-2 {
fill: #d94029;
}
#whatsnew-down-arrow .cls-1 {
opacity: 0.23;
}
</style>
</defs>
<circle class="cls-1" cx="82.5" cy="82.5" r="82.5"/>
<circle id="Ellipse_1_copy" data-name="Ellipse 1 copy" class="cls-2" cx="82.5" cy="82.499" r="74.781"/>
<image x="31" y="35" width="103" height="95" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGcAAABfCAYAAAD1aNk5AAAHlUlEQVR4nO3de4xdVRXH8c/MlGmhptKxCLVUa7RVCPigPkJAW4JoYlTwge+0RolEUNQUWsQobX1AUYIpFmuiBrSo+EpJjIkPQomaKibVAgmImiZQplRra2NLnbaw/WPd69Rh2nncc+7Zd+Z8k0mT6dy11jm/e87Ze5+11u5KKelQpuHFWIBT0YdeHMRubMfDeAj/qSjGlphSdQDjYDouxTswC8cLUXrQhYQnhUgHsAs/wno8UUG846arw66cN2AZXoKTx/C5nbgPN+LnJcRVCp105bwfVwlhxsrJuKDx70nYUGBcpdEpV87FWIPnF2BrG1bghwXYKpVOEOdl+DbOLNDm/ViCPxVos3C6qw5gBHpxDc4o2O4ZDbtTC7ZbKLmLsxCvEqOwIulq2F1YsN1CyV2ci3BiSbZPxIUl2S6E3MV5BWaUZHtGw3625C7OCxR/S2vS1bCfLbmLM63D7bdE7uI81eH2WyJ3cSY1tTgZU4uTMbU4GVOLkzG1OBlTi5MxtTgZU4uTMbU4GVOLkzG1OBlTi5MxtTgZU4uTMbU4GVOLkzG1OBlTi5MxtTgZU4uTMbU4GVOLkzGjKZ46S5RfnGIwb3kP/i6qxbaUE9qE4CxR7PVszGz87l94XJShHPPcHU2cOXgXXiOKYWeJWsxmycSAqK/chUfxG3wfj43zICYSc/BunIu54tyd4P/P3X5x7rbj17jDMOduuOKpJSL7/jyDao/EHmzCj3H7qA9jZPoxu0B7Q9mB5xRo732ikHiRsZ27u3GnKBIbJKXU/JmZUrompbQzjZ8dKaUrU0p9R9ht5ae/hVhGQ39BcT4rpXRViuMfLztTnP+ZTbtN430ppZUtGB7KdSmlean1g+4EceallK4vMKaVqSGQlNK0lNIlBRpvsi6ltCCl1J0mpjjdjeO7pYS4PpRSmjoFr8by4m67/+MyMUpZhQdF44aJQg9Ow0q8vQT7y/GXbpyDF5bgAN6Km0RF9ETi5fiKKIssg/k4txuLlVc91oPX4macX5KPdnM+1orj6inJRxcWdyu/orhX3DrXiGYPncw7cYM4nuNK9rVwiui2VDbNL8FKUSj7zTb4LJpL8Emc3iZ/fe3ufXO6EOgE3KIzBgk9uFw8pOe003EVjYlOFbeG4/EN0RstV/rEFbNKBcW9U3BI+ffPoUwTz6AZ+Jo81+Tm4CP4dEX+D3XjrxU5Jw58BZ6rvBHjWOkS8axQnTDwt278vsIA4GP4Ip6neoG6MA/Xibiq5HfdYjW5ai4Wc6H5FccxX8xhchjyb+rGXbit4kB6RSfB9WLFogrOafi/QPufwUO5FXd1i4fxV3FvpeHEy6hFYiT3lsbvyh5qN+2/ueF3kep7sN2LdXisucLak1I6P6W0uYQV1vGwJaW0JKW0u2Q/uxt+tpTsZ7RsTqFDT0rpaW9CF4kOfq+v4iszhO3iLWhZ61fElbNDzL2q5pf4Au5p/mLoJPQe8dp0H94kngVV0Y4T1tMmP8fiIH6K1dh65H8crQHrbHEPvgjPKDu6Scw+bBRzqv6h/3m0vLUd4mXZBh3WxbyDeEKc38sMIwzHTir8t+h+vrb4uGrEeV0mzvOwjKav9HSh7g3FxTXpWS7WFPcd649G2/T7meJF01qZt17MnAFcIZII9470x6PNld6L74jdN4a9P9aMSD8+LBIHRxSG8bXLfxs+i5eO9YOTmK1iqPyTsXxovHsZvBFXipTdmmNzN76Mn431g61sNHG2eN/xOtWvR+XIAH4lZv2bx2Og1V1AFuDz4kqa3oqhCcZ+caV8Bn8er5FWi6cexidE+cdAi7YmCgPifHxcC8JQzP45XaIGZZlYhpjsrBHbj+0S+8eNmyI3NzoJH8T1RRnsQK7Gt/CPIowVvfNUn6iIu8nkGiQcFLf3OxSY6lXGtmBTDe6xVmTVWK70G9wDrtDnbhnV1ANitfUKPFCC/Zx4QBznBiUMiMreUO9C8a06u0wnFbFZ3B3uLMtBO3Y7XIxrRXZL1VktRXAIvxUpupvKdNSurSjPFKO480SOdKdyQCzHXC36CJRKuzp43C8y9TficJt8Fs1hEf/l2iAM7W2v8oh4/qxvo88i+bq4Yh5pl8MqdtidIyarq9vtuAWuFQVfba2GqGr74z68VzyHcl4w3S+ulu+qoI6oyr2pe0U7ktWqzx0bju3ipeLtYgWg7eSwcfh7xNL6aVUHcgQP4nP4XpVB5CAOkby4SrS/qpr7xDNmY9WB5CIOMVn9kuhRVkWTvqfwR/H6fVMF/p9GTuIQSSPr8ErtzdM+iD+IOczWEf62beTWRnIrloqCrnZ9a1LD31IZCUN+4sA2kR+3oU3+NjT8bWuTv1GT223tSGbjoyJ1tYx+CU+KFOObReJ+duQsDtES7AP4lMHmr0WwV1Rw3yoayWZJ7uIQ9UFLxEx9bgH2HhXvYW4zQiJ51XSCOE2WisZAraQBbxX5DVVXj4+KThKHqFVdJiarp4zhc4+LyeWN+EUJcZVCp4lDvKy7VJSkzBIlKb1i0NAlhsaHxdzlAP6JH4gl/wMVxDtuOlGcJr14UeNnrujjfJx4jbxHPFseElmplSxctsp/AY08bZuj0etGAAAAAElFTkSuQmCC"/>
</svg>


Solution:

We had a discussion with Sitecore support and as per Sitecore support the reported behavior is expected. Sitecore removed attributes with a value that contains "base64" string OOB. Such strings have been considered as dangerous and might contain javascript code. According to the links below, having base64 data in some cases is not secure:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

https://html5sec.org/

You can save base64 images into RTE fields after disabling the HtmlEditor.RemoveScripts setting in the Sitecore.config file:

<setting name="HtmlEditor.RemoveScripts" value="false" />

However, please note that this will allow users to save javascript into the RTE field too.



Comments

Post a Comment

Popular posts from this blog

Setup New Project in Sitecore XMCloud – Part 1

Step by Step installation of Sitecore 10.3 on Docker

Step by Step installation of Sitecore 10.3 on Azure PaaS