badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use svg-sanitize to sanitize SVG files

Browse source
This commit is contained in:
Shish 2018-02-20 21:35:43 +00:00
parent 18879ddc4c
commit bc68137797
5 changed files with 70 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
composer.json
View file

@ -30,6 +30,7 @@
"google/recaptcha" : "~1.1",
"dapphp/securimage" : "3.6.*",
"shish/libcontext-php" : "dev-master",
"enshrined/svg-sanitize" : "0.8.2",
"bower-asset/jquery" : "1.12.3",
"bower-asset/jquery-timeago" : "1.5.2",

39
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"content-hash": "eb5180245fbf27fb02d9a4018a2ff059",
"content-hash": "fd0ccce172ded2999f5ced0884990541",
"packages": [
{
"name": "bower-asset/jquery",
@ -152,6 +152,43 @@
],
"time": "2017-11-21T02:29:19+00:00"
},
{
"name": "enshrined/svg-sanitize",
"version": "0.8.2",
"source": {
"type": "git",
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
"reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/432fc4fc7e95b8a866790ba27e35076b9dd96ebe",
"reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe",
"shasum": ""
},
"require-dev": {
"codeclimate/php-test-reporter": "^0.1.2",
"phpunit/phpunit": "^4.7"
},
"type": "library",
"autoload": {
"psr-4": {
"enshrined\\svgSanitize\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"GPL-2.0+"
],
"authors": [
{
"name": "Daryll Doyle",
"email": "daryll@enshrined.co.uk"
}
],
"description": "An SVG sanitizer for PHP",
"time": "2017-12-06T15:31:26+00:00"
},
{
"name": "flexihash/flexihash",
"version": "v2.0.2",

17
ext/handle_svg/main.php
View file

@ -6,11 +6,19 @@
* Description: Handle static SVG files. (No thumbnail is generated for SVG files)
*/
use enshrined\svgSanitize\Sanitizer;
class SVGFileHandler extends Extension {
public function onDataUpload(DataUploadEvent $event) {
if($this->supported_ext($event->type) && $this->check_contents($event->tmpname)) {
$hash = $event->hash;
move_upload_to_archive($event);
$sanitizer = new Sanitizer();
$sanitizer->removeRemoteReferences(true);
$dirtySVG = file_get_contents($event->tmpname);
$cleanSVG = $sanitizer->sanitize($dirtySVG);
file_put_contents(warehouse_path("images", $hash), $cleanSVG);
send_event(new ThumbnailGenerationEvent($event->hash, $event->type));
$image = $this->create_image_from_data(warehouse_path("images", $hash), $event->metadata);
if(is_null($image)) {
@ -46,7 +54,12 @@ class SVGFileHandler extends Extension {
$page->set_type("image/svg+xml");
$page->set_mode("data");
$page->set_data(file_get_contents(warehouse_path("images", $hash)));
$sanitizer = new Sanitizer();
$sanitizer->removeRemoteReferences(true);
$dirtySVG = file_get_contents(warehouse_path("images", $hash));
$cleanSVG = $sanitizer->sanitize($dirtySVG);
$page->set_data($cleanSVG);
}
}

8
ext/handle_svg/test.php
View file

@ -10,5 +10,13 @@ class SVGHandlerTest extends ShimmiePHPUnitTestCase {
# FIXME: test that the thumb works
# FIXME: test that it gets displayed properly
}
public function testAbuiveSVG() {
$this->log_in_as_user();
$image_id = $this->post_image("tests/alert.svg", "something");
$this->get_page("post/view/$image_id");
$this->get_page("get_svg/$image_id");
$this->assert_no_content("script");
}
}

8
tests/alert.svg Normal file
View file

@ -0,0 +1,8 @@
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 411 B