Merge pull request #1724 from LiveHelperChat/master-svg-clean

Master svg clean

lhc_web/cron.php

@@ -26,6 +26,7 @@
 ezcBase::addClassRepository( dirname(__FILE__).'/', dirname(__FILE__).'/lib/autoloads');
 
 spl_autoload_register(array('ezcBase','autoload'), true, false);
+spl_autoload_register(array('erLhcoreClassSystem','autoload'), true, false);
 
 $input = new ezcConsoleInput();
 

lhc_web/index.php

@@ -27,12 +27,12 @@
 // @ini_set('session.cookie_samesite', 'None');
 // @ini_set('session.cookie_secure', true);
 
-require_once "lib/core/lhcore/password.php";
 require_once "ezcomponents/Base/src/base.php"; // dependent on installation method, see below
 
 ezcBase::addClassRepository( './','./lib/autoloads');
 
 spl_autoload_register(array('ezcBase','autoload'), true, false);
+spl_autoload_register(array('erLhcoreClassSystem','autoload'), true, false);
 
 erLhcoreClassSystem::init();
 

lhc_web/lib/core/lhcore/lhimageconverter.php

@@ -436,6 +436,14 @@ public static function upload( $file, $upload_name = 'SlideFile', $save_path = '
 			return $return = array( 'errors' => $errors );
 		}
 
+        // Clean SVG
+        if ($fileSuffix == '.svg') {
+            $sanitizer = new \enshrined\svgSanitize\Sanitizer();
+            $dirtySVG = file_get_contents($saveDir . $fileNameNew);
+            $cleanSVG = $sanitizer->sanitize($dirtySVG);
+            file_put_contents($saveDir . $fileNameNew, $cleanSVG);
+        }
+
 		$data = array( 'filename'  		   => $fileNameNew,
 					   'mime_type' 		   => $mimeType,
 					   'original_filename' => $file_name,

lhc_web/lib/core/lhcore/lhsearchhandler.php

@@ -594,12 +594,19 @@ public static function moveUploadedFile($fileName, $destination_dir, $extensionS
             $fileNameAray = explode('.', $_FILES[$fileName]['name']);
             end($fileNameAray);
             $extension = current($fileNameAray);
-            
+
             $fileNamePhysic = md5($_FILES[$fileName]['tmp_name'] . time()) . $extensionSeparator . strtolower($extension);
 
             move_uploaded_file($_FILES[$fileName]["tmp_name"], $destination_dir . $fileNamePhysic);
             chmod($destination_dir . $fileNamePhysic, 0644);
-
+
+            if ($extension == 'svg') {
+                $sanitizer = new \enshrined\svgSanitize\Sanitizer();
+                $dirtySVG = file_get_contents($destination_dir . $fileNamePhysic);
+                $cleanSVG = $sanitizer->sanitize($dirtySVG);
+                file_put_contents($destination_dir . $fileNamePhysic, $cleanSVG);
+            }
+
             return $fileNamePhysic;
         }
     }
@@ -614,7 +621,14 @@ public static function moveLocalFile($fileName, $destination_dir, $extensionSepa
 
         rename($fileName, $destination_dir . $fileNamePhysic);
         chmod($destination_dir . $fileNamePhysic, 0644);
-
+
+        if ($extension == 'svg') {
+            $sanitizer = new \enshrined\svgSanitize\Sanitizer();
+            $dirtySVG = file_get_contents($destination_dir . $fileNamePhysic);
+            $cleanSVG = $sanitizer->sanitize($dirtySVG);
+            file_put_contents($destination_dir . $fileNamePhysic, $cleanSVG);
+        }
+
         return $fileNamePhysic;
     }
 }

lhc_web/lib/core/lhcore/lhsys.php

@@ -227,6 +227,16 @@ public function __construct(){
         }
     }
 
+    public static function autoload($className)
+    {
+        $file = '.' . DIRECTORY_SEPARATOR . 'lib' . DIRECTORY_SEPARATOR . 'vendor_lhc' . DIRECTORY_SEPARATOR . str_replace('\\',DIRECTORY_SEPARATOR, $className) . '.php';
+
+        if (file_exists($file)) {
+            require_once $file;
+        }
+
+        return false;
+    }
 
     public static function instance()
     {