Bug 301280

Summary: [SVG2] Allow <foreignObject> and HTML elements to be cloned to the shadow tree of the <use> element
Product: WebKit Reporter: Said Abou-Hallawa <sabouhallawa>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: karlcow, psychpsyo, sabouhallawa, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
rendering in safari, firefox, chrome none

Said Abou-Hallawa
Reported 2025-10-22 09:19:14 PDT
SVG2 made it possible for the <use> element to clone many elements that were previously disallowed, such as <foreignObject> [1]. The new WPT test will verify this new change in the SVG2 specs [2]. [1]: https://svgwg.org/svg2-draft/struct.html#UseElement:~:text=Previous%20versions%20of%20SVG,subtree%20to%20be%20cloned [2]: https://github.com/web-platform-tests/wpt/pull/55576
Attachments
rendering in safari, firefox, chrome (446.95 KB, image/png)
2026-03-18 19:38 PDT, Karl Dubost 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Robert Longson
Comment 1 2025-10-29 06:16:39 PDT
Be careful of https://bugzilla.mozilla.org/show_bug.cgi?id=1754522 when implementing this.
Radar WebKit Bug Importer
Comment 2 2025-10-29 09:20:13 PDT
<rdar://problem/163647399>
Karl Dubost
Comment 3 2026-03-18 19:38:53 PDT
Created attachment 478719 [details] rendering in safari, firefox, chrome https://github.com/web-platform-tests/wpt/pull/55576 https://wpt.fyi/results/svg/struct/reftests/use-foreignObject.html https://wpt.live/svg/struct/reftests/use-foreignObject.html PASS Firefox FAIL Chrome, Safari Spec prose in SVG2 > Previous versions of SVG restricted the contents of the shadow tree to SVG graphics elements. This specification allows any valid SVG document subtree to be cloned. Cloning non-graphical content, however, will not usually have any visible effect. https://w3c.github.io/svgwg/svg2-draft/struct.html#UseElement:~:text=Previous%20versions%20of%20SVG,subtree%20to%20be%20cloned.
Karl Dubost
Comment 4 2026-03-18 19:40:08 PDT
As Robert Longson mentions, we need to make sure of solving "XSS in SVG's foreignObject with iframe, loaded through a same-origin SVG file from a <use> element"
Note You need to log in before you can comment on or make changes to this bug.