From a18b45f0f81a0adf230268a523a80eed0ba246ab Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Fri, 20 Feb 2026 21:40:37 +0900
Subject: [PATCH] Strip namespace prefixes before checking dangerous tags in
 SVG

---
 common/framework/filters/FileContentFilter.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/common/framework/filters/FileContentFilter.php b/common/framework/filters/FileContentFilter.php
index 272fe3477..6bfa5cf53 100644
--- a/common/framework/filters/FileContentFilter.php
+++ b/common/framework/filters/FileContentFilter.php
@@ -44,7 +44,7 @@ class FileContentFilter
 		$skip_xml = preg_match('/^(hwpx)$/', $ext);
 
 		// Check SVG files.
-		if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize))
+		if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize, $ext))
 		{
 			fclose($fp);
 			return false;
@@ -89,11 +89,12 @@ class FileContentFilter
 	 * @param resource $fp
 	 * @param int $from
 	 * @param int $to
+	 * @param string $ext
 	 * @return bool
 	 */
-	protected static function _checkSVG($fp, $from, $to)
+	protected static function _checkSVG($fp, $from, $to, $ext)
 	{
-		if (self::_matchStream('/(?:<|&lt;)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|xlink:href\s*=\s*"(?!data:)/i', $fp, $from, $to))
+		if (self::_matchStream('/(?:<|&lt;|:)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|(?:\s|:)href\s*=\s*"(?!data:)/i', $fp, $from, $to))
 		{
 			return false;
 		}