shadowfacts/fonttools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

subset: parse OT-SVG with resolve_entities=False

Browse Source 
to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
This commit is contained in:
Cosimo Lupo 2023-09-15 16:50:38 +02:00
parent 74240afc35
commit 9f61271dc1
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Lib/fontTools/subset/svg.py
View File

@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
# ignore blank text as it's not meaningful in OT-SVG; it also prevents # ignore blank text as it's not meaningful in OT-SVG; it also prevents
# dangling tail text after removing an element when pretty_print=True # dangling tail text after removing an element when pretty_print=True
remove_blank_text=True, remove_blank_text=True,
# don't replace entities; we don't expect any in OT-SVG and they may
# aboused for XXE attacks
resolve_entities=False,
), ),
) )