Refactor Fragment and Href
AllowedUrl
is the basic building block that librsvg uses to ensure that "dangerous" files are not loaded when referenced from CSS properties or attributes like href
. (Tangentially, see #518 !324 (closed) !326 (closed) !328 (merged).)
Fragment
and Href
have various issues:
- Both store plain strings, but they should be based upon
AllowedUrl
. The code constructs anAllowedUrl
from these strings everywhere (as it is what the basicacquire_stream
andacquire_data
accept), but it would be nice not to litter the code that needs stuff to be loaded with validation code. - The usage is to first
Href::parse()
, and then see if that produced anHref::PlainUrl
orHref::Fragment
(and then see if the fragment-less URL is adequate as anAllowedUrl
. This is awkward for code that actually needs a fragment identifier and cannot work with plain URLs.
Just like we have pub struct AllowedUrl(Url)
as a newtype to indicate that the URL has been validated, we could change Fragment
to be pub struct Fragment(AllowedUrl)
to indicate that it is validated, and it has been checked to contain a fragment identifier.
I think we can remove Href
and just use AllowedUrl
or Fragment
everywhere:
-
<feImage>
actually has different behavior for a plain URL vs. one with a fragment identifier. -
<image>
only allows plain URLs, and rejects fragment identifiers. - ... but those could be made to work by just looking at the
url.fragment()
from the contents of theAllowedUrl
. - Many places use
IRI
, which is essentially aFragment
, to indicate that they actually need a fragment identifier.
I.e. enough places in librsvg actually require a fragment identifier that Fragment
seems useful to keep around; the rest can use AllowedUrl
and look manually if needed.