fix(utils): improve svg security

packages/utils/src/loader/cdn-loader.ts

@@ -16,6 +16,7 @@ export class CdnLoader {
     for (const el of elements) {
       // Type of SVGGraphicsElement?
       if (el instanceof SVGElement && 'getBBox' in el) {
+        this.stripUnsafeAttributes(el);
         this.stripUnsafeNodes(...(el as SVGElement).childNodes);
       }
       else {
@@ -24,6 +25,22 @@ export class CdnLoader {
     }
   }
 
+  /**
+   * Strips any event attributes which could be used to
+   * maliciously hijack the application.
+   * @param element Element to check
+   * @returns {void}
+   */
+  private stripUnsafeAttributes (element: SVGElement): void {
+    const attributes = element.getAttributeNames();
+    for (const attribute of attributes) {
+      // Remove event attributes e.g., `onclick`
+      if (attribute.startsWith('on')) {
+        element.removeAttribute(attribute);
+      }
+    }
+  }
+
   /**
    * Asynchronously tries to load
    * @param href The location of the SVG to load