Hi @bugnumber9! How's it going?

Thank you for submitting your issue! 🙏

We are aware that the aria-hidden attribute is removed from SVGs, but unfortunately, this is intentional, and is part of the sanitization of SVGs for security reasons

I will leave this issue open, but unfortunately, for the time being, we won't be changing this behavior for security reasons.

I hope you can understand.

Kind regards

Hey @nicholaszein

Thanks for your reply, yet I have to admit it's frustrating...

What security risks are involved with inline ARIA attributes? I'm not aware of any.
Sanitization, by definition, is removing potentially unsafe code. How come do ARIA attributes fall into this category?

There's no option in the Icon List widget to add that attribute to icons.
More often than not they should have it because in the majority of cases icons are decorative.

Finally, I can think of multiple ways to achieve the desired result.

I can use HTML widget and just paste SVG code (it'll render it as is), and then have a Heading widget next to it.
I can probably use Dynamic Tags with Dynamic Shortcodes (haven't tested yet but pretty sure it'll work) and again just paste the SVG code into the shortcode.
There are other hacky ways to do it.

With the current approach, the Icon List widget is not accessible without those "hacks" I mentioned above while adding nothing to security.

Hi @bugnumber9!

Apologies, I should have been more clear about the sanitization. Aria attributes pose no security risks on SVGs. The sanitization we use (based on the WordPress default sanitization) removes any attribute and other tags from the SVG tag that are not specifically native to SVG tags.

Your point about icons being decorative (and more specifically the aria attributes themselves) is a valid point.

We are aware this is a problem, however, we are unable to modify the sanitization of these icons at the moment. We understand this is not ideal, and we do have plans to address this limitation in the future, but due to the severity and complexity of this specific case, we cannot prioritize a fix for this at the moment.

I hope I was able to better convey the reason behind this decision.

Thank you for sharing your feedback though! 🙏

@nicholaszein Why not just whitelist the attribute in your sanitiser?

There is a filter that can be used. Something like this in a custom snippet or the theme's functions.php file should work:

<?php

/**
 * Allow aria-hidden attribute in SVG
 */
add_filter( 'elementor/files/svg/allowed_attributes', function( $allowed_attributes ) {

    $extra = array(
        'aria-hidden'
    );

    return array_merge( $extra, $allowed_attributes );

}, 10, 2);

@jamieburchell, because these are not the only ones to allow in terms of accessibility.

Check this article: https://css-tricks.com/accessible-svgs/

@nicholaszein Sure, more could be whitelisted. The OP mentions one specifically.

The point is that it is possible for Elementor to add them; there are no technical restrictions on sanitisation preventing that from happening. Your comment suggests it's not possible.

Fixed in Elementor 3.28.2