Validate both bare and namespaced SVG image HREF attributes

dompdf · Feb 7, 2023 · 95009ea · 95009ea
1 parent 2a8a6b8
commit 95009ea
Showing 1 changed file with 14 additions and 9 deletions.
diff --git a/src/Image/Cache.php b/src/Image/Cache.php
@@ -135,15 +135,19 @@ static function resolve_url($url, $protocol, $host, $base_path, Options $options
                     function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
                         if (strtolower($name) === "image") {
                             $attributes = array_change_key_case($attributes, CASE_LOWER);
-                            $url = $attributes["xlink:href"] ?? $attributes["href"];
-                            if (!empty($url)) {
-                                $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
-                                if ($inner_full_url === $full_url) {
-                                    throw new ImageException("SVG self-reference is not allowed", E_WARNING);
-                                }
-                                [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
-                                if (!empty($message)) {
-                                    throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
+                            $urls = [];
+                            $urls[] = $attributes["xlink:href"] ?? "";
+                            $urls[] = $attributes["href"] ?? "";
+                            foreach ($urls as $url) {
+                                if (!empty($url)) {
+                                    $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
+                                    if ($inner_full_url === $full_url) {
+                                        throw new ImageException("SVG self-reference is not allowed", E_WARNING);
+                                    }
+                                    [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
+                                    if (!empty($message)) {
+                                        throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
+                                    }
                                 }
                             }
                         }
@@ -156,6 +160,7 @@ function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
                         xml_parse($parser, $line, false);
                     }
                     fclose($fp);
+                    xml_parse($parser, "", true);
                 }
                 xml_parser_free($parser);
             }