feat(svg): sanitize file jsut after saving on server

composer.json

@@ -8,19 +8,21 @@
     "scripts": {
       "test": "phpunit --do-not-cache-result --stderr tests",
       "post-install-cmd": [
-        "@composer install --working-dir ./tools/autoupdate/"
+        "@composer install --working-dir ./tools/autoupdate/",
+        "@php -r \"array_map('unlink', glob('vendor/enshrined/svg-sanitize/tests/data/*.svg'));\""
       ],
       "post-update-cmd": [
         "@composer update --working-dir ./tools/autoupdate/"
       ]
     },
     "require": {
         "php": "^7.3 || ^8.0",
+        "ext-json": "*",
+        "ext-mysqli": "*",
         "caxy/php-htmldiff": "^0.1.13",
         "doctrine/annotations": "^1.11",
         "doctrine/cache": "^1.10",
-        "ext-json": "*",
-        "ext-mysqli": "*",
+        "enshrined/svg-sanitize": "^0.14.1",
         "oomphinc/composer-installers-extender": "^2.0",
         "phpmailer/phpmailer": "^6.2",
         "symfony/config": "^5.1",

tools/attach/libs/attach.lib.php

@@ -34,6 +34,7 @@
 # voir actions/attach.php ppour la documentation
 # copyrigth Eric Feldstein 2003-2004
 
+use enshrined\svgSanitize\Sanitizer;
 use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
 use YesWiki\Core\Service\LinkTracker;
 
@@ -734,6 +735,9 @@ public function performUpload()
                 $srcFile = $_FILES['upFile']['tmp_name'];
                 if (move_uploaded_file($srcFile, $destFile)) {
                     chmod($destFile, 0644);
+                    if ($ext  === "svg") {
+                        $this->sanitizeSVGfile($destFile);
+                    }
                     header("Location: " . $this->wiki->href("", $this->wiki->GetPageTag(), ""));
                 } else {
                     echo "<div class=\"alert alert-error alert-danger\">" . _t('ERROR_MOVING_TEMPORARY_FILE') . "</div>\n";
@@ -1173,5 +1177,24 @@ public function redimensionner_image($image_src, $image_dest, $largeur, $hauteur
                 return $imgTrans->targetFile;
             }
         }
+
+        /**
+         * @param string $content of svg
+         * @return string $content
+         */
+        public function sanitizeSVG(string $content): string
+        {
+            $sanitizer = new Sanitizer();
+            return $sanitizer->sanitize($content);
+        }
+
+        /**
+         * @param string $filePath svg
+         */
+        public function sanitizeSVGfile(string $filePath)
+        {
+            $content = file_get_contents($filePath);
+            file_put_contents($filePath, $this->sanitizeSVG($content));
+        }
     }
 }

tools/attach/libs/qq.lib.php

@@ -204,6 +204,9 @@ public function handleUpload($uploadDirectory, $replaceOldFile = false)
             ob_end_clean();
 
             if ($this->file->save($fullfilename)) {
+                if ($ext === "svg") {
+                    $attach->sanitizeSVGfile($fullfilename);
+                }
                 return array_map('utf8_encode', array('success'=>true, 'filename'=>$fullfilename, 'simplefilename'=>$filename . '.' . $ext, 'extension'=>$ext));
             } else {
                 return array_map(