fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-11 04:52:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

Use enshrined\svgSanitize to clean SVG file content

Browse source
This commit is contained in:
Kijin Sung 2026-02-20 21:55:29 +09:00
parent a18b45f0f8
commit bf2df84d0f
2 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
common/framework/Security.php
View file

@ -38,6 +38,12 @@ class Security
if (!utf8_check($input)) return false; if (!utf8_check($input)) return false;
return Filters\FilenameFilter::clean($input); return Filters\FilenameFilter::clean($input);
// Clean up SVG content to prevent various attacks.
case 'svg':
if (!utf8_check($input)) return false;
$sanitizer = new \enshrined\svgSanitize\Sanitizer();
return strval($sanitizer->sanitize($input));
// Unknown filters. // Unknown filters.
default: default:
throw new Exception('Unknown filter type for sanitize: ' . $type); throw new Exception('Unknown filter type for sanitize: ' . $type);

8
modules/file/file.controller.php
View file

@ -936,6 +936,14 @@ class FileController extends File
} }
} }
// Sanitize SVG
if(!$manual_insert && !$this->user->isAdmin() && ($file_info['type'] === 'image/svg+xml' || $file_info['extension'] === 'svg'))
{
$dirty_svg = Rhymix\Framework\Storage::read($file_info['tmp_name']);
$clean_svg = Rhymix\Framework\Security::sanitize($dirty_svg, 'svg');
Rhymix\Framework\Storage::write($file_info['tmp_name'], $clean_svg);
}
// Adjust // Adjust
if(!$manual_insert) if(!$manual_insert)
{ {