From 1d72b74c904b487e91fe4ea975610dd382ddea49 Mon Sep 17 00:00:00 2001 From: Aimeos Date: Wed, 7 Jul 2021 09:01:41 +0200 Subject: [PATCH] Sanitize SVG images --- composer.json | 3 ++- lib/mwlib/src/MW/Media/Image/Svg.php | 9 +++++++++ lib/mwlib/tests/MW/Media/Image/SvgTest.php | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index 75daca8f8c..4a162dc74c 100644 --- a/composer.json +++ b/composer.json @@ -28,7 +28,8 @@ "nyholm/psr7": "^1.2", "doctrine/dbal": "~2.0", "psr/http-message": "~1.0", - "voku/portable-ascii": "^1.4" + "voku/portable-ascii": "^1.4", + "enshrined/svg-sanitize": "^0.14" }, "require-dev": { "php-coveralls/php-coveralls": "~2.0", diff --git a/lib/mwlib/src/MW/Media/Image/Svg.php b/lib/mwlib/src/MW/Media/Image/Svg.php index 110bd64e55..4266b8c2b2 100644 --- a/lib/mwlib/src/MW/Media/Image/Svg.php +++ b/lib/mwlib/src/MW/Media/Image/Svg.php @@ -10,6 +10,8 @@ namespace Aimeos\MW\Media\Image; +use enshrined\svgSanitize\Sanitizer; + /** * Image class for SVG files @@ -40,6 +42,13 @@ public function __construct( string $content, string $mimetype, array $options ) $content = $string; } + $sanitizer = new Sanitizer(); + $sanitizer->removeRemoteReferences( true ); + + if( ( $content = $sanitizer->sanitize( $content ) ) === false ) { + throw new \Aimeos\MW\Media\Exception( 'Invalid SVG file: ' . print_r( $sanitizer->getXmlIssues(), true ) ); + } + if( ( $this->svg = @simplexml_load_string( $content ) ) === false ) { throw new \Aimeos\MW\Media\Exception( 'Invalid SVG file' ); } diff --git a/lib/mwlib/tests/MW/Media/Image/SvgTest.php b/lib/mwlib/tests/MW/Media/Image/SvgTest.php index 8c963c8129..2bb09d8ddc 100644 --- a/lib/mwlib/tests/MW/Media/Image/SvgTest.php +++ b/lib/mwlib/tests/MW/Media/Image/SvgTest.php @@ -70,7 +70,7 @@ public function testSaveContent() $media = new \Aimeos\MW\Media\Image\Svg( $this->content, 'image/svg+xml', [] ); $result = $media->save(); - $this->assertStringStartsWith( '', $result ); + $this->assertStringStartsWith( '', $result ); }