Refactor Fragment and Href
AllowedUrl is the basic building block that librsvg uses to ensure that "dangerous" files are not loaded when referenced from CSS properties or attributes like
href. (Tangentially, see #518 !324 !326 (closed) !328 (merged).)
- Both store plain strings, but they should be based upon
AllowedUrl. The code constructs an
AllowedUrlfrom these strings everywhere (as it is what the basic
acquire_dataaccept), but it would be nice not to litter the code that needs stuff to be loaded with validation code.
- The usage is to first
Href::parse(), and then see if that produced an
Href::Fragment(and then see if the fragment-less URL is adequate as an
AllowedUrl. This is awkward for code that actually needs a fragment identifier and cannot work with plain URLs.
Just like we have
pub struct AllowedUrl(Url) as a newtype to indicate that the URL has been validated, we could change
Fragment to be
pub struct Fragment(AllowedUrl) to indicate that it is validated, and it has been checked to contain a fragment identifier.
I think we can remove
Href and just use
<feImage>actually has different behavior for a plain URL vs. one with a fragment identifier.
<image>only allows plain URLs, and rejects fragment identifiers.
- ... but those could be made to work by just looking at the
url.fragment()from the contents of the
- Many places use
IRI, which is essentially a
Fragment, to indicate that they actually need a fragment identifier.
I.e. enough places in librsvg actually require a fragment identifier that
Fragment seems useful to keep around; the rest can use
AllowedUrl and look manually if needed.