From 4d41498b5b53c2b8a9d24bb3efa0d32be73c0575 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Tue, 5 Sep 2023 15:31:49 +0100
Subject: [PATCH] Configure size limits for XML

---
 Cargo.lock | 10 +++++-----
 Cargo.toml |  6 +++---
 src/lib.rs |  6 +++++-
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2c567f2..be80c75 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -53,7 +53,7 @@ checksum = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3"
 
 [[package]]
 name = "svg-hush"
-version = "0.9.4"
+version = "0.9.5"
 dependencies = [
  "base64",
  "data-url",
@@ -95,9 +95,9 @@ dependencies = [
 
 [[package]]
 name = "url"
-version = "2.4.0"
+version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50bff7831e19200a85b17131d085c25d7811bc4e186efdaf54bbd132994a88cb"
+checksum = "143b538f18257fac9cad154828a57c6bf5157e1aa604d4816b5995bf6de87ae5"
 dependencies = [
  "form_urlencoded",
  "idna",
@@ -106,6 +106,6 @@ dependencies = [
 
 [[package]]
 name = "xml-rs"
-version = "0.8.16"
+version = "0.8.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47430998a7b5d499ccee752b41567bc3afc57e1327dc855b1a2aa44ce29b5fa1"
+checksum = "1eee6bf5926be7cf998d7381a9a23d833fd493f6a8034658a9505a4dc4b20444"
diff --git a/Cargo.toml b/Cargo.toml
index 380b525..eff3988 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "svg-hush"
 authors = ["Cloudflare <https://cloudflare.com>"]
-version = "0.9.4"
+version = "0.9.5"
 edition = "2021"
 description = "Strip scripting and other abusable features from SVG files"
 categories = ["multimedia::images"]
@@ -9,7 +9,7 @@ keywords = ["xss", "sanitizer", "purify", "filter", "security"]
 license = "Apache-2.0 OR MIT"
 exclude = ["tests/"]
 repository = "https://github.com/cloudflare/svg-hush"
-rust-version = "1.57"
+rust-version = "1.58"
 
 [dependencies]
 once_cell = "1.15.0"
@@ -17,7 +17,7 @@ data-url = "0.3.0"
 base64 = "0.13.0"
 quick-error = "2.0.1"
 url = "2.3.1"
-xml-rs = "0.8.16"
+xml-rs = "0.8.17"
 
 [package.metadata.release]
 tag-name = "{{version}}"
diff --git a/src/lib.rs b/src/lib.rs
index 6994951..c19a76e 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -221,7 +221,11 @@ impl Filter {
             .cdata_to_characters(true)
             .ignore_comments(true)
             .coalesce_characters(false)
-            .allow_multiple_root_elements(false);
+            .allow_multiple_root_elements(false)
+            .max_attributes(200)
+            .max_entity_expansion_depth(3)
+            .max_data_length(1<<28)
+            .max_name_length(1000);
         if let Some(ct) = &self.content_type {
             config = config.content_type(&ct);
         }