highcharts · cvasseng · Mar 24, 2025 · Mar 24, 2025
diff --git a/README.md b/README.md
@@ -6,6 +6,16 @@ Convert Highcharts.JS charts into static image files.
 
 ## Upgrade Notes
 
+## v4.x.x to v5.x.x
+
+There are two breaking changes in v5.x.x:
+    - `xlink:href` is now dissallowed in incoming SVG. This has adverse effects on exports with e.g. background images or other external resources, and is being done to prevent potential security issues. To allow this attribute, set `OTHER_ALLOW_XLINK_HREF` to `true`.
+    - There is now an active upload limit which defaults to 3MB (can be configured with `SERVER_MAX_UPLOAD_SIZE`/`--maxUploadSize`/`maxUploadSize`)
+
+For other changes and fixes, please see the [changelog](CHANGELOG.md).
+
+## v3.x.x to v4.x.x
+
 In most cases, v4 should serve as a drop-in replacement for v2 and v3. However, due to changes in the browser backend, various tweaks related to process handling (e.g., worker counts, and so on) may now have different effects than before.
 
 Significant changes have been made to the API for using the server as a Node.js module. While a compatibility layer has been created to address this, it is recommended to transition to the new API described below. It is worth noting that the compatibility layer may be deprecated at some point in the future.
@@ -384,6 +394,7 @@ These variables are set in your environment and take precedence over options fro
 - `OTHER_NO_LOGO`: Skip printing the logo on a startup. Will be replaced by a simple text (defaults to `false`).
 - `OTHER_HARD_RESET_PAGE`: Determines whether the page's content should be reset from scratch, including Highcharts scripts (defaults to `false`).
 - `OTHER_BROWSER_SHELL_MODE`: Decides whether to enable older but much more performant _shell_ mode for the browser (defaults to `true`).
+- `OTHER_ALLOW_XLINK`: If set to true, allow `xlink:href` in incoming SVG (defaults to `false`).
 
 ### Debugging Config
 - `DEBUG_ENABLE`: Enables or disables debug mode for the underlying browser (defaults to `false`).

diff --git a/dist/index.cjs b/dist/index.cjs
diff --git a/dist/index.esm.js b/dist/index.esm.js
diff --git a/dist/index.esm.js.map b/dist/index.esm.js.map
diff --git a/lib/envs.js b/lib/envs.js
@@ -231,6 +231,7 @@ export const Config = z.object({
   OTHER_NO_LOGO: v.boolean(),
   OTHER_HARD_RESET_PAGE: v.boolean(),
   OTHER_BROWSER_SHELL_MODE: v.boolean(),
+  OTHER_ALLOW_XLINK: v.boolean(),
 
   // debugger
   DEBUG_ENABLE: v.boolean(),

diff --git a/lib/sanitize.js b/lib/sanitize.js
@@ -20,6 +20,7 @@ See LICENSE file in root for details.
 import { JSDOM } from 'jsdom';
 import DOMPurify from 'dompurify';
 
+import { envs } from './envs.js';
 /**
  * Sanitizes a given HTML string by removing <script> tags.
  * This function uses a regular expression to find and remove all
@@ -29,12 +30,17 @@ import DOMPurify from 'dompurify';
  * @returns {string} The sanitized HTML string.
  */
 export function sanitize(input) {
+  const forbidden = [];
+
+  if (!envs.OTHER_ALLOW_XLINK) {
+    forbidden.push('xlink:href');
+  }
+
   const window = new JSDOM('').window;
   const purify = DOMPurify(window);
   return purify.sanitize(input, {
     ADD_TAGS: ['foreignObject'],
-    // Disallow all xlinks in incoming SVG
-    FORBID_ATTR: ['xlink:href']
+    FORBID_ATTR: forbidden
   });
 }