Sanitize SVG images

composer.json

@@ -28,7 +28,8 @@
 		"nyholm/psr7": "^1.2",
 		"doctrine/dbal": "~2.0",
 		"psr/http-message": "~1.0",
-		"voku/portable-ascii": "^1.4"
+		"voku/portable-ascii": "^1.4",
+		"enshrined/svg-sanitize": "^0.14"
 	},
 	"require-dev": {
 		"php-coveralls/php-coveralls": "~2.0",

lib/mwlib/src/MW/Media/Image/Svg.php

@@ -10,6 +10,8 @@
 
 namespace Aimeos\MW\Media\Image;
 
+use enshrined\svgSanitize\Sanitizer;
+
 
 /**
  * Image class for SVG files
@@ -40,6 +42,13 @@ public function __construct( string $content, string $mimetype, array $options )
 			$content = $string;
 		}
 
+		$sanitizer = new Sanitizer();
+		$sanitizer->removeRemoteReferences( true );
+
+		if( ( $content = $sanitizer->sanitize( $content ) ) === false ) {
+			throw new \Aimeos\MW\Media\Exception( 'Invalid SVG file: ' . print_r( $sanitizer->getXmlIssues(), true ) );
+		}
+
 		if( ( $this->svg = @simplexml_load_string( $content ) ) === false ) {
 			throw new \Aimeos\MW\Media\Exception( 'Invalid SVG file' );
 		}

lib/mwlib/tests/MW/Media/Image/SvgTest.php

@@ -70,7 +70,7 @@ public function testSaveContent()
 		$media = new \Aimeos\MW\Media\Image\Svg( $this->content, 'image/svg+xml', [] );
 		$result = $media->save();
 
-		$this->assertStringStartsWith( '<?xml version="1.0" standalone="yes"?>', $result );
+		$this->assertStringStartsWith( '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>', $result );
 	}