diff --git a/app/Http/Controllers/Maps/CustomMapBackgroundController.php b/app/Http/Controllers/Maps/CustomMapBackgroundController.php index 9e3dd86b5c..3b804ccca6 100644 --- a/app/Http/Controllers/Maps/CustomMapBackgroundController.php +++ b/app/Http/Controllers/Maps/CustomMapBackgroundController.php @@ -28,6 +28,7 @@ namespace App\Http\Controllers\Maps; use App\Http\Controllers\Controller; use App\Models\CustomMap; use App\Models\CustomMapBackground; +use enshrined\svgSanitize\Sanitizer; use Illuminate\Foundation\Http\FormRequest; use Illuminate\Support\Facades\Cache; @@ -96,13 +97,23 @@ class CustomMapBackgroundController extends Controller if ($request->image) { // if image type and we have image data (new image) save it $background = $map->background ?? new CustomMapBackground; - $background->background_image = $request->image->getContent(); + + $image_content = $request->image->getContent(); + $mimeType = $request->image->getMimeType(); + + // sanitize SVGs + if ($mimeType == 'image/svg+xml') { + $image_content = (new Sanitizer)->sanitize($image_content); + } + + $background->background_image = $image_content; + $map->background()->save($background); Cache::driver('file')->forget($this->getCacheKey($map)); // clear old image cache if present $map->background_data = array_merge($map->background_data ?? [], [ 'version' => md5($background->background_image), 'original_filename' => $request->image->getClientOriginalName(), - 'mime' => $request->image->getMimeType(), + 'mime' => $mimeType, ]); } } elseif ($map->getOriginal('background_type') == 'image') { diff --git a/composer.json b/composer.json index 284b2ec4cc..af8168f4c0 100644 --- a/composer.json +++ b/composer.json @@ -32,6 +32,7 @@ "dapphp/radius": "^3.0", "doctrine/dbal": "^3.5", "easybook/geshi": "^1.0.8", + "enshrined/svg-sanitize": "^0.20.0", "ezyang/htmlpurifier": "^4.8", "fico7489/laravel-pivot": "^3.0", "influxdata/influxdb-client-php": "^3.4", diff --git a/composer.lock b/composer.lock index 2678585a8c..3d89a15305 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "cfd22f9b26f539a6adc0ee571737bfcf", + "content-hash": "fee5d24447dced4397e26066f8c9ee59", "packages": [ { "name": "amenadiel/jpgraph", @@ -1175,6 +1175,51 @@ ], "time": "2023-10-06T06:47:41+00:00" }, + { + "name": "enshrined/svg-sanitize", + "version": "0.20.0", + "source": { + "type": "git", + "url": "https://github.com/darylldoyle/svg-sanitizer.git", + "reference": "068d9fcf912c88a0471d101d95a2caa87c50aee7" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/068d9fcf912c88a0471d101d95a2caa87c50aee7", + "reference": "068d9fcf912c88a0471d101d95a2caa87c50aee7", + "shasum": "" + }, + "require": { + "ext-dom": "*", + "ext-libxml": "*", + "php": "^7.1 || ^8.0" + }, + "require-dev": { + "phpunit/phpunit": "^6.5 || ^8.5" + }, + "type": "library", + "autoload": { + "psr-4": { + "enshrined\\svgSanitize\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "Daryll Doyle", + "email": "daryll@enshrined.co.uk" + } + ], + "description": "An SVG sanitizer for PHP", + "support": { + "issues": "https://github.com/darylldoyle/svg-sanitizer/issues", + "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0.20.0" + }, + "time": "2024-09-05T10:18:12+00:00" + }, { "name": "ezyang/htmlpurifier", "version": "v4.17.0",