qurantine bad SVGs

CHANGELOG.md

@@ -3,6 +3,7 @@
 
 1. [](#improved)
     * Added support for loading Flex Directory configuration from main configuration
+    * Move SVGs that cannot be sanitized to quarantine folder under `log://quarantine`
 1. [](#bugfix)
     * Fixed error when using Flex `SimpleStorage` with no entries
     * Fixed page search to include slug field [#3316](https://github.com/getgrav/grav/issues/3316)

system/src/Grav/Common/Security.php

@@ -12,6 +12,7 @@
 use enshrined\svgSanitize\Sanitizer;
 use Exception;
 use Grav\Common\Config\Config;
+use Grav\Common\Filesystem\Folder;
 use Grav\Common\Page\Pages;
 use function chr;
 use function count;
@@ -56,9 +57,16 @@ public static function sanitizeSVG(string $file): void
             $original_svg = file_get_contents($file);
             $clean_svg = $sanitizer->sanitize($original_svg);
 
-            // TODO: what to do with bad SVG files which return false?
-            if ($clean_svg !== false && $clean_svg !== $original_svg) {
+            // Quarantine bad SVG files and throw exception
+            if ($clean_svg !== false ) {
                 file_put_contents($file, $clean_svg);
+            } else {
+                $quarantine_file = basename($file);
+                $quarantine_dir = 'log://quarantine';
+                Folder::mkdir($quarantine_dir);
+                file_put_contents("$quarantine_dir/$quarantine_file", $original_svg);
+                unlink($file);
+                throw new Exception('SVG could not be sanitized, it has been moved to the logs/quarantine folder');
             }
         }
     }