From bf5f7e9fbc794e8b6ed8f39eee93cf0c8641133c Mon Sep 17 00:00:00 2001
From: Dan Callahan <dan.callahan@gmail.com>
Date: Sat, 23 Aug 2014 12:40:54 -0500
Subject: [PATCH] Allow SVG siteLogos to be specified as data: URIs

The only legitimate MIME type for SVGs is "image/svg+xml", but our whitelist
contained "image/svg" instead.

As a result, data-URI encoded SVGs were not allowed as the siteLogo.
---
 .../dialog/js/modules/validate_rp_params.js      |  2 +-
 .../dialog/js/modules/validate_rp_params.js      | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/resources/static/dialog/js/modules/validate_rp_params.js b/resources/static/dialog/js/modules/validate_rp_params.js
index ef6c72a6e..829fd688f 100644
--- a/resources/static/dialog/js/modules/validate_rp_params.js
+++ b/resources/static/dialog/js/modules/validate_rp_params.js
@@ -252,7 +252,7 @@ BrowserID.Modules.ValidateRpParams = (function() {
     var dataMatches = null; // is this a valid data URI?
     var outputLogoUri;
     // Ideally we'd be loading this from a canonical constants library.
-    var imageMimeTypes = ['png', 'gif', 'jpg', 'jpeg', 'svg'];
+    var imageMimeTypes = ['png', 'gif', 'jpg', 'jpeg', 'svg+xml'];
     // This regex converts valid input of the form:
     //   'data:image/png;base64,iV...'
     // into an array that looks like:
diff --git a/resources/static/test/cases/dialog/js/modules/validate_rp_params.js b/resources/static/test/cases/dialog/js/modules/validate_rp_params.js
index e754a5493..1391fcfc1 100644
--- a/resources/static/test/cases/dialog/js/modules/validate_rp_params.js
+++ b/resources/static/test/cases/dialog/js/modules/validate_rp_params.js
@@ -245,6 +245,17 @@
     testExpectValidationFailure({siteLogo: URL});
   });
 
+  asyncTest("get with data:image/svg+xml;... siteLogo - allowed", function() {
+    testExpectValidationSuccess({
+        siteLogo: "data:image/svg+xml;base64,FAKEDATA"
+      },
+      {
+        siteLogo: "data:image/svg+xml;base64,FAKEDATA"
+      }
+    );
+  });
+
+
   asyncTest("get with data:image/<whitelist>;... siteLogo - allowed", function() {
     testExpectValidationSuccess({
         siteLogo: "data:image/png;base64,FAKEDATA"
@@ -255,6 +266,11 @@
     );
   });
 
+  asyncTest("get with data:image/svg;... siteLogo - not allowed", function() {
+    var URL = "data:image/svg;base64,FAKEDATA";
+    testExpectValidationFailure({siteLogo: URL});
+  });
+
   asyncTest("get with data:<not image>... siteLogo - not allowed", function() {
     var URL = "data:text/html;base64,FAKEDATA";
     testExpectValidationFailure({siteLogo: URL});