Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* setting up the svg saniziter on logo and assets upload * more detailed exception message * changed to mime type check instead of file extension * adding the sanitization to "Upload new version" * refactor to sanitize on preAdd/preUpdate, rollback AssetController.php * fix resource|string, null given on mime_content_type * using symfony mime component + small tweaks * avoiding save without changes case * tweak when checking if is image type
- Loading branch information
Showing
4 changed files
with
103 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
bundles/CoreBundle/EventListener/AssetSanitizationListener.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
<?php | ||
|
||
/** | ||
* Pimcore | ||
* | ||
* This source file is available under two different licenses: | ||
* - GNU General Public License version 3 (GPLv3) | ||
* - Pimcore Commercial License (PCL) | ||
* Full copyright and license information is available in | ||
* LICENSE.md which is distributed with this source code. | ||
* | ||
* @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org) | ||
* @license http://www.pimcore.org/license GPLv3 and PCL | ||
*/ | ||
|
||
namespace Pimcore\Bundle\CoreBundle\EventListener; | ||
|
||
|
||
use Pimcore\Event\AssetEvents; | ||
use Pimcore\Event\Model\ElementEventInterface; | ||
use Pimcore\Model\Asset; | ||
use Symfony\Component\EventDispatcher\EventSubscriberInterface; | ||
use enshrined\svgSanitize\Sanitizer; | ||
use Symfony\Component\Mime\MimeTypes; | ||
|
||
/** | ||
* @internal | ||
*/ | ||
class AssetSanitizationListener implements EventSubscriberInterface | ||
{ | ||
public static function getSubscribedEvents() | ||
{ | ||
return [ | ||
AssetEvents::PRE_ADD => 'sanitizeAsset', | ||
AssetEvents::PRE_UPDATE => 'sanitizeAsset', | ||
]; | ||
} | ||
|
||
/** | ||
* @param ElementEventInterface $e | ||
*/ | ||
public function sanitizeAsset(ElementEventInterface $e) | ||
{ | ||
$element = $e->getElement(); | ||
|
||
if ($element instanceof Asset\Image && $element->getDataChanged()) { | ||
$assetStream = $element->getStream(); | ||
|
||
if (isset($assetStream)) { | ||
$streamMetaData = stream_get_meta_data($assetStream); | ||
$mime = MimeTypes::getDefault()->guessMimeType($streamMetaData['uri']); | ||
|
||
if ($mime === 'image/svg+xml') { | ||
$sanitizedData = $this->sanitizeSVG(stream_get_contents($assetStream)); | ||
$element->setData($sanitizedData); | ||
} | ||
} | ||
} | ||
} | ||
|
||
/** | ||
* @param string $fileContent | ||
* | ||
* @return string | ||
* | ||
* @throws \Exception | ||
*/ | ||
|
||
protected function sanitizeSVG(string $fileContent) | ||
{ | ||
$sanitizer = new Sanitizer(); | ||
$sanitizedFileContent = $sanitizer->sanitize($fileContent); | ||
|
||
if (!$sanitizedFileContent) { | ||
throw new \Exception('SVG Sanitization failed, probably due badly formatted XML.'); | ||
} | ||
|
||
return $sanitizedFileContent; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters