https://community.esri.com/t5/arcgis-online-questions/excessive-html-sanitisation-preventing-using-svgs/m-p/1537674#M61459 <P>I am trying to create a popup to provide information about assets, but I am facing significant limitations with SVGs and the CSS available on the ArcGIS platform inside of popups.</P><P>I understand that ArcGIS performs internal HTML sanitization (e.g. via <A href="https://github.com/Esri/arcgis-html-sanitizer" target="_self">@esri/arcgis-html-sanitize)&nbsp;</A>to protect against XSS attacks, but I am surprised by the extent of these restrictions. For example, it is currently not possible to:</P><OL><LI>Specify SVG fill colors.</LI><LI>Apply simple transformations, such as rotations, to elements using a transformation style property.</LI><LI>Use many types of SVG elements. For instance, circles and other elements are stripped of all their attributes and are rendered useless.</LI></OL><P>I created a simple popup design in Figma that requires an SVG rotated to the correct orientation based on a heading attribute from a feature. To achieve this simple requirement, I have found it impossible to use an SVG. Instead, I am forced to use an image hosted by a provider like Cloudinary, which allows for server-side rotation of the image via a property in the url&nbsp; (<A href="https://cloudinary.com/guides/image-effects/rotating-an-image-with-css#:~:text=Rotating%20Images%20with%20Cloudinary%E2%80%99s%20Image%20API" target="_self">details here</A>)&nbsp;</P><P>Is there a simpler way to achieve this effect? Does the XSS sanitation need to be so severe as to render the use of core html syntax unusable?&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JonathanDawe_BAS_0-1726134757460.png" style="width: 400px;"><img src="https://community.esri.com/t5/image/serverpage/image-id/114874i17E4BC835C41CB66/image-size/medium?v=v2&amp;px=400" role="button" title="JonathanDawe_BAS_0-1726134757460.png" alt="JonathanDawe_BAS_0-1726134757460.png" /></span></P><P>&nbsp;</P> Thu, 12 Sep 2024 10:05:49 GMT JonathanDawe3 2024-09-12T10:05:49Z https://community.esri.com/t5/arcgis-online-questions/excessive-html-sanitisation-preventing-using-svgs/m-p/1537674#M61459 <P>I am trying to create a popup to provide information about assets, but I am facing significant limitations with SVGs and the CSS available on the ArcGIS platform inside of popups.</P><P>I understand that ArcGIS performs internal HTML sanitization (e.g. via <A href="https://github.com/Esri/arcgis-html-sanitizer" target="_self">@esri/arcgis-html-sanitize)&nbsp;</A>to protect against XSS attacks, but I am surprised by the extent of these restrictions. For example, it is currently not possible to:</P><OL><LI>Specify SVG fill colors.</LI><LI>Apply simple transformations, such as rotations, to elements using a transformation style property.</LI><LI>Use many types of SVG elements. For instance, circles and other elements are stripped of all their attributes and are rendered useless.</LI></OL><P>I created a simple popup design in Figma that requires an SVG rotated to the correct orientation based on a heading attribute from a feature. To achieve this simple requirement, I have found it impossible to use an SVG. Instead, I am forced to use an image hosted by a provider like Cloudinary, which allows for server-side rotation of the image via a property in the url&nbsp; (<A href="https://cloudinary.com/guides/image-effects/rotating-an-image-with-css#:~:text=Rotating%20Images%20with%20Cloudinary%E2%80%99s%20Image%20API" target="_self">details here</A>)&nbsp;</P><P>Is there a simpler way to achieve this effect? Does the XSS sanitation need to be so severe as to render the use of core html syntax unusable?&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JonathanDawe_BAS_0-1726134757460.png" style="width: 400px;"><img src="https://community.esri.com/t5/image/serverpage/image-id/114874i17E4BC835C41CB66/image-size/medium?v=v2&amp;px=400" role="button" title="JonathanDawe_BAS_0-1726134757460.png" alt="JonathanDawe_BAS_0-1726134757460.png" /></span></P><P>&nbsp;</P> Thu, 12 Sep 2024 10:05:49 GMT https://community.esri.com/t5/arcgis-online-questions/excessive-html-sanitisation-preventing-using-svgs/m-p/1537674#M61459 JonathanDawe3 2024-09-12T10:05:49Z