backup

sapk · sapk · commit 6ee9fe507eac · 2020-04-19T02:02:37.000+02:00
diff --git a/modules/util/svg/svg.go b/modules/util/svg/svg.go
@@ -27,9 +27,16 @@ func MinifySVG(svgData io.Reader) (*bytes.Buffer, error) {
 func SanitizeSVG(svgData io.Reader) *bytes.Buffer {
 	p := bluemonday.NewPolicy()
 	p.AllowElements("svg", "title", "path", "desc", "g")
-	p.AllowAttrs("id", "viewbox", "role", "aria-labelledby").OnElements("svg")
+	p.AllowAttrs("id", "viewbox", "role", "aria-labelledby", "xmlns", "xmlns:xlink", "xml:space").OnElements("svg")
 	p.AllowAttrs("id").OnElements("title", "desc")
 	p.AllowAttrs("id", "data-name", "class", "aria-label").OnElements("g")
 	p.AllowAttrs("id", "data-name", "class", "d", "transform", "aria-haspopup").OnElements("path")
+	p.AllowAttrs("x", "y", "width", "height").OnElements("rect")
+
+	//var invalidID = regexp.MustCompile(`((http|ftp)s?)|(url *\( *' *//)`)
+	//var validID = regexp.MustCompile(`(?!((http|ftp)s?)|(url *\( *' *//))`) //not supported
+	//p.AllowAttrs("fill").Matching(regexp.MustCompile(`((http|ftp)s?)|(url *\( *' *//)`)).OnElements("rect") //TODO match opposite
+
+	p.SkipElementsContent("this", "script")
 	return p.SanitizeReader(svgData)
 }
diff --git a/modules/util/svg/svg_test.go b/modules/util/svg/svg_test.go
@@ -132,6 +132,54 @@ func TestSanitizeSVG(t *testing.T) {
 		</g>
 	</svg>`,
 		},
+		{
+			name: "badXmlTestOne",
+			input: `<?xml version="1.0" encoding="utf-8"?>
+			<!-- Generator: Adobe Illustrator 16.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+			<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+			<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+				 width="600px" height="600px" viewBox="0 0 600 600" enable-background="new 0 0 600 600" xml:space="preserve">
+			<line onload="alert(2)" fill="none" stroke="#000000" stroke-miterlimit="10" x1="119" y1="84.5" x2="454" y2="84.5"/>
+			<line fill="none" stroke="#000000" stroke-miterlimit="10" x1="111.212" y1="102.852" x2="112.032" y2="476.623"/>
+			<line fill="none" stroke="#000000" stroke-miterlimit="10" x1="198.917" y1="510.229" x2="486.622" y2="501.213">
+			<line fill="none" stroke="#000000" stroke-miterlimit="10" x1="484.163" y1="442.196" x2="89.901" y2="60.229"/>
+			<line fill="none" stroke="#000000" stroke-miterlimit="10" x1="101.376" y1="478.262" x2="443.18" y2="75.803"/>
+			<line fill="none" stroke="#000000" stroke-miterlimit="10" x1="457.114" y1="126.623" x2="458.753" y2="363.508"/>
+			<this>shouldn't be here</this>
+			<script>alert(1);</script>
+			<line fill="none" stroke="#000000" stroke-miterlimit="10" x1="541.54" y1="299.573" x2="543.179" y2="536.458"/>
+			</svg>
+			`,
+			//want: ``,
+			want: `<svg id="Layer_1" viewbox="0 0 600 600"/>`,
+		},
+		{
+			name: "externalTest",
+			input: `<?xml version="1.0" encoding="utf-8" ?>
+			<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+			<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve">
+			<rect fill="url('http://example.com/benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="url('https://example.com/benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="  url(  ' https://example.com/benis.svg '  ) " x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="url('ftp://192.168.2.1/benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="url('//example.com/benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="url('/benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="url('#benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			</svg>
+			`,
+			//want: ``,
+			want: `<?xml version="1.0" encoding="utf-8" ?>
+			<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve">
+			<rect x="0" y="0" width="1000" height="1000"></rect>
+			<rect x="0" y="0" width="1000" height="1000"></rect>
+			<rect x="0" y="0" width="1000" height="1000"></rect>
+			<rect x="0" y="0" width="1000" height="1000"></rect>
+			<rect x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="url('/benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			<rect fill="url('#benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
+			</svg>
+			`,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
