properly sanitizing style attrs

src/js/Import.js

@@ -77,7 +77,6 @@ MD.Import = function(){
 
   function loadSvgString(str, callback) {
     var success = svgCanvas.setSvgString(str) !== false;
-    
     callback = callback || $.noop;
     if(success) {
       callback(true);

src/js/sanitize.js

@@ -144,12 +144,12 @@ svgedit.sanitize.sanitizeSvg = function(node) {
   // we only care about element nodes
   // automatically return for all comment, etc nodes
   // for text, we do a whitespace trim
-  if (node.nodeType == 3) {
+  if (node.nodeType === 3) {
     node.nodeValue = node.nodeValue.replace(/^\s+|\s+$/g, "");
     // Remove empty text nodes
     if(!node.nodeValue.length) node.parentNode.removeChild(node);
   }
-  if (node.nodeType != 1) return;
+  if (node.nodeType !== 1) return;
 
   var doc = node.ownerDocument;
   var parent = node.parentNode;
@@ -161,7 +161,6 @@ svgedit.sanitize.sanitizeSvg = function(node) {
 
   // if this element is allowed
   if (allowedAttrs != undefined) {
-
     var se_attrs = [];
   
     var i = node.attributes.length;
@@ -201,16 +200,17 @@ svgedit.sanitize.sanitizeSvg = function(node) {
       }
       
       // for the style attribute, rewrite it in terms of XML presentational attributes
-      if (attrName == "style") {
+      if (attrName === "style") {
-        var props = attr.nodeValue.replace(' ', '').split(";"),
+        const props = attr.nodeValue
-          p = props.length;
+          .split(";")
-        while(p--) {
+          .map(prop => prop.trim())
-          var nv = props[p].split(":");
+          .filter(Boolean)
-          // now check that this attribute is supported
+          .forEach(prop => {
-          if (allowedAttrs.indexOf(nv[0]) >= 0) {
+            var nv = prop.split(":");
-            node.setAttribute(nv[0],nv[1]);
+            if (allowedAttrs.indexOf(nv[0]) >= 0) {
-          }
+              node.setAttribute(nv[0],nv[1]);
-        }
+            }
+          })
         node.removeAttribute('style');
       }
     }

src/js/svgcanvas.js

@@ -5754,29 +5754,22 @@ this.styleToAttr = function(doc) {
 // Returns:
 // This function returns false if the set was unsuccessful, true otherwise.
 this.setSvgString = function(xmlString) {
+  console.log("opened")
   try {
     // convert string into XML document
     var newDoc = svgedit.utilities.text2xml(xmlString);
-    this.prepareSvg(newDoc);
-
     var batchCmd = new BatchCommand("Change Source");
 
+    this.prepareSvg(newDoc);
     newDoc = this.styleToAttr(newDoc);
     
-
     // remove old svg document
     var nextSibling = svgcontent.nextSibling;
     var oldzoom = svgroot.removeChild(svgcontent);
     batchCmd.addSubCommand(new RemoveElementCommand(oldzoom, nextSibling, svgroot));
   
-    // set new svg document
+
-    // If DOM3 adoptNode() available, use it. Otherwise fall back to DOM2 importNode()
+    svgcontent = svgdoc.adoptNode(newDoc.documentElement);
-    if(svgdoc.adoptNode) {
-      svgcontent = svgdoc.adoptNode(newDoc.documentElement);
-    }
-    else {
-      svgcontent = svgdoc.importNode(newDoc.documentElement, true);
-    }
     
     svgroot.appendChild(svgcontent);
     var content = $(svgcontent);