Version Description
- Underlying library update that fixes a security issue
Download this release
Release Info
| Developer | enshrined |
| Plugin |  Safe SVG |
| Version | 1.9.6 |
| Comparing to | |
| See all releases | |
Code changes from version 1.9.5 to 1.9.6
- lib/composer.lock +5 -5
- lib/vendor/composer/installed.json +6 -6
- lib/vendor/enshrined/svg-sanitize/src/Sanitizer.php +52 -22
- lib/vendor/enshrined/svg-sanitize/tests/data/hrefCleanOne.svg +1 -0
- lib/vendor/enshrined/svg-sanitize/tests/data/hrefTestOne.svg +1 -0
- lib/vendor/enshrined/svg-sanitize/tests/data/useClean.svg +1 -0
- readme.txt +4 -1
- safe-svg.php +1 -1
lib/composer.lock
CHANGED
|
@@ -8,16 +8,16 @@
|
|
| 8 |
"packages": [
|
| 9 |
{
|
| 10 |
"name": "enshrined/svg-sanitize",
|
| 11 |
-
"version": "0.
|
| 12 |
"source": {
|
| 13 |
"type": "git",
|
| 14 |
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
|
| 15 |
-
"reference": "
|
| 16 |
},
|
| 17 |
"dist": {
|
| 18 |
"type": "zip",
|
| 19 |
-
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/
|
| 20 |
-
"reference": "
|
| 21 |
"shasum": ""
|
| 22 |
},
|
| 23 |
"require": {
|
|
@@ -45,7 +45,7 @@
|
|
| 45 |
}
|
| 46 |
],
|
| 47 |
"description": "An SVG sanitizer for PHP",
|
| 48 |
-
"time": "2019-
|
| 49 |
}
|
| 50 |
],
|
| 51 |
"packages-dev": [],
|
| 8 |
"packages": [
|
| 9 |
{
|
| 10 |
"name": "enshrined/svg-sanitize",
|
| 11 |
+
"version": "0.13.0",
|
| 12 |
"source": {
|
| 13 |
"type": "git",
|
| 14 |
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
|
| 15 |
+
"reference": "4cf8d0f61edf9f00b84e162fc229176a362da247"
|
| 16 |
},
|
| 17 |
"dist": {
|
| 18 |
"type": "zip",
|
| 19 |
+
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/4cf8d0f61edf9f00b84e162fc229176a362da247",
|
| 20 |
+
"reference": "4cf8d0f61edf9f00b84e162fc229176a362da247",
|
| 21 |
"shasum": ""
|
| 22 |
},
|
| 23 |
"require": {
|
| 45 |
}
|
| 46 |
],
|
| 47 |
"description": "An SVG sanitizer for PHP",
|
| 48 |
+
"time": "2019-11-07T09:16:31+00:00"
|
| 49 |
}
|
| 50 |
],
|
| 51 |
"packages-dev": [],
|
lib/vendor/composer/installed.json
CHANGED
|
@@ -1,17 +1,17 @@
|
|
| 1 |
[
|
| 2 |
{
|
| 3 |
"name": "enshrined/svg-sanitize",
|
| 4 |
-
"version": "0.
|
| 5 |
-
"version_normalized": "0.
|
| 6 |
"source": {
|
| 7 |
"type": "git",
|
| 8 |
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
|
| 9 |
-
"reference": "
|
| 10 |
},
|
| 11 |
"dist": {
|
| 12 |
"type": "zip",
|
| 13 |
-
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/
|
| 14 |
-
"reference": "
|
| 15 |
"shasum": ""
|
| 16 |
},
|
| 17 |
"require": {
|
|
@@ -22,7 +22,7 @@
|
|
| 22 |
"codeclimate/php-test-reporter": "^0.1.2",
|
| 23 |
"phpunit/phpunit": "^6"
|
| 24 |
},
|
| 25 |
-
"time": "2019-
|
| 26 |
"type": "library",
|
| 27 |
"installation-source": "dist",
|
| 28 |
"autoload": {
|
| 1 |
[
|
| 2 |
{
|
| 3 |
"name": "enshrined/svg-sanitize",
|
| 4 |
+
"version": "0.13.0",
|
| 5 |
+
"version_normalized": "0.13.0.0",
|
| 6 |
"source": {
|
| 7 |
"type": "git",
|
| 8 |
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
|
| 9 |
+
"reference": "4cf8d0f61edf9f00b84e162fc229176a362da247"
|
| 10 |
},
|
| 11 |
"dist": {
|
| 12 |
"type": "zip",
|
| 13 |
+
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/4cf8d0f61edf9f00b84e162fc229176a362da247",
|
| 14 |
+
"reference": "4cf8d0f61edf9f00b84e162fc229176a362da247",
|
| 15 |
"shasum": ""
|
| 16 |
},
|
| 17 |
"require": {
|
| 22 |
"codeclimate/php-test-reporter": "^0.1.2",
|
| 23 |
"phpunit/phpunit": "^6"
|
| 24 |
},
|
| 25 |
+
"time": "2019-11-07T09:16:31+00:00",
|
| 26 |
"type": "library",
|
| 27 |
"installation-source": "dist",
|
| 28 |
"autoload": {
|
lib/vendor/enshrined/svg-sanitize/src/Sanitizer.php
CHANGED
|
@@ -18,11 +18,6 @@ use enshrined\svgSanitize\ElementReference\Subject;
|
|
| 18 |
class Sanitizer
|
| 19 |
{
|
| 20 |
|
| 21 |
-
/**
|
| 22 |
-
* Regex to catch script and data values in attributes
|
| 23 |
-
*/
|
| 24 |
-
const SCRIPT_REGEX = '/(?:\w+script|data)(?:\s)?:/xi';
|
| 25 |
-
|
| 26 |
/**
|
| 27 |
* @var \DOMDocument
|
| 28 |
*/
|
|
@@ -372,22 +367,12 @@ class Sanitizer
|
|
| 372 |
protected function cleanXlinkHrefs(\DOMElement $element)
|
| 373 |
{
|
| 374 |
$xlinks = $element->getAttributeNS('http://www.w3.org/1999/xlink', 'href');
|
| 375 |
-
if (
|
| 376 |
-
|
| 377 |
-
|
| 378 |
-
'
|
| 379 |
-
'
|
| 380 |
-
|
| 381 |
-
'data:image/pjp', // PJPEG
|
| 382 |
-
))) {
|
| 383 |
-
$element->removeAttributeNS( 'http://www.w3.org/1999/xlink', 'href' );
|
| 384 |
-
$this->xmlIssues[] = array(
|
| 385 |
-
'message' => 'Suspicious attribute \'href\'',
|
| 386 |
-
'line' => $element->getLineNo(),
|
| 387 |
-
);
|
| 388 |
-
|
| 389 |
-
|
| 390 |
-
}
|
| 391 |
}
|
| 392 |
}
|
| 393 |
|
|
@@ -399,7 +384,7 @@ class Sanitizer
|
|
| 399 |
protected function cleanHrefs(\DOMElement $element)
|
| 400 |
{
|
| 401 |
$href = $element->getAttribute('href');
|
| 402 |
-
if (
|
| 403 |
$element->removeAttribute('href');
|
| 404 |
$this->xmlIssues[] = array(
|
| 405 |
'message' => 'Suspicious attribute \'href\'',
|
|
@@ -408,6 +393,51 @@ class Sanitizer
|
|
| 408 |
}
|
| 409 |
}
|
| 410 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 411 |
/**
|
| 412 |
* Removes non-printable ASCII characters from string & trims it
|
| 413 |
*
|
| 18 |
class Sanitizer
|
| 19 |
{
|
| 20 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21 |
/**
|
| 22 |
* @var \DOMDocument
|
| 23 |
*/
|
| 367 |
protected function cleanXlinkHrefs(\DOMElement $element)
|
| 368 |
{
|
| 369 |
$xlinks = $element->getAttributeNS('http://www.w3.org/1999/xlink', 'href');
|
| 370 |
+
if (false === $this->isHrefSafeValue($xlinks)) {
|
| 371 |
+
$element->removeAttributeNS( 'http://www.w3.org/1999/xlink', 'href' );
|
| 372 |
+
$this->xmlIssues[] = array(
|
| 373 |
+
'message' => 'Suspicious attribute \'href\'',
|
| 374 |
+
'line' => $element->getLineNo(),
|
| 375 |
+
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 376 |
}
|
| 377 |
}
|
| 378 |
|
| 384 |
protected function cleanHrefs(\DOMElement $element)
|
| 385 |
{
|
| 386 |
$href = $element->getAttribute('href');
|
| 387 |
+
if (false === $this->isHrefSafeValue($href)) {
|
| 388 |
$element->removeAttribute('href');
|
| 389 |
$this->xmlIssues[] = array(
|
| 390 |
'message' => 'Suspicious attribute \'href\'',
|
| 393 |
}
|
| 394 |
}
|
| 395 |
|
| 396 |
+
/**
|
| 397 |
+
* Only allow whitelisted starts to be within the href.
|
| 398 |
+
*
|
| 399 |
+
* This will stop scripts etc from being passed through, with or without attempting to hide bypasses.
|
| 400 |
+
* This stops the need for us to use a complicated script regex.
|
| 401 |
+
*
|
| 402 |
+
* @param $value
|
| 403 |
+
* @return bool
|
| 404 |
+
*/
|
| 405 |
+
protected function isHrefSafeValue($value) {
|
| 406 |
+
|
| 407 |
+
// Allow fragment identifiers.
|
| 408 |
+
if ('#' === substr($value, 0, 1)) {
|
| 409 |
+
return true;
|
| 410 |
+
}
|
| 411 |
+
|
| 412 |
+
// Allow relative URIs.
|
| 413 |
+
if ('/' === substr($value, 0, 1)) {
|
| 414 |
+
return true;
|
| 415 |
+
}
|
| 416 |
+
|
| 417 |
+
// Allow HTTPS domains.
|
| 418 |
+
if ('https://' === substr($value, 0, 8)) {
|
| 419 |
+
return true;
|
| 420 |
+
}
|
| 421 |
+
|
| 422 |
+
// Allow HTTP domains.
|
| 423 |
+
if ('http://' === substr($value, 0, 7)) {
|
| 424 |
+
return true;
|
| 425 |
+
}
|
| 426 |
+
|
| 427 |
+
// Allow known data URIs.
|
| 428 |
+
if (in_array(substr($value, 0, 14), array(
|
| 429 |
+
'data:image/png', // PNG
|
| 430 |
+
'data:image/gif', // GIF
|
| 431 |
+
'data:image/jpg', // JPG
|
| 432 |
+
'data:image/jpe', // JPEG
|
| 433 |
+
'data:image/pjp', // PJPEG
|
| 434 |
+
))) {
|
| 435 |
+
return true;
|
| 436 |
+
}
|
| 437 |
+
|
| 438 |
+
return false;
|
| 439 |
+
}
|
| 440 |
+
|
| 441 |
/**
|
| 442 |
* Removes non-printable ASCII characters from string & trims it
|
| 443 |
*
|
lib/vendor/enshrined/svg-sanitize/tests/data/hrefCleanOne.svg
CHANGED
|
@@ -8,4 +8,5 @@
|
|
| 8 |
<a>test 6</a>
|
| 9 |
|
| 10 |
<a>test 7</a>
|
|
|
|
| 11 |
</svg>
|
| 8 |
<a>test 6</a>
|
| 9 |
|
| 10 |
<a>test 7</a>
|
| 11 |
+
<a>test 8</a>
|
| 12 |
</svg>
|
lib/vendor/enshrined/svg-sanitize/tests/data/hrefTestOne.svg
CHANGED
|
@@ -8,4 +8,5 @@
|
|
| 8 |
<a xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E">test 6</a>
|
| 9 |
|
| 10 |
<a href="javascript	:alert(document.domain)">test 7</a>
|
|
|
|
| 11 |
</svg>
|
| 8 |
<a xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E">test 6</a>
|
| 9 |
|
| 10 |
<a href="javascript	:alert(document.domain)">test 7</a>
|
| 11 |
+
<a href="javascrip	t:alert('0xd0ff9')">test 8</a>
|
| 12 |
</svg>
|
lib/vendor/enshrined/svg-sanitize/tests/data/useClean.svg
CHANGED
|
@@ -1,4 +1,5 @@
|
|
| 1 |
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 68 65">
|
| 2 |
<use xlink:href="#a" x="28" fill="#1A374D"/>
|
| 3 |
<path id="a" d="M14 27v-20c0-3.7-3.3-7-7-7s-7 3.3-7 7v41c0 8.2 9.2 17 20 17s20-9.2 20-20c0-13.3-13.4-21.8-26-18zm6 25c-4 0-7-3-7-7s3-7 7-7 7 3 7 7-3 7-7 7z"/>
|
|
|
|
| 4 |
</svg>
|
| 1 |
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 68 65">
|
| 2 |
<use xlink:href="#a" x="28" fill="#1A374D"/>
|
| 3 |
<path id="a" d="M14 27v-20c0-3.7-3.3-7-7-7s-7 3.3-7 7v41c0 8.2 9.2 17 20 17s20-9.2 20-20c0-13.3-13.4-21.8-26-18zm6 25c-4 0-7-3-7-7s3-7 7-7 7 3 7 7-3 7-7 7z"/>
|
| 4 |
+
<use />
|
| 5 |
</svg>
|
readme.txt
CHANGED
|
@@ -5,7 +5,7 @@ Tags: svg, sanitize, upload, sanitise, security, svg upload, image, vector, file
|
|
| 5 |
Requires at least: 4.0
|
| 6 |
Tested up to: 5.2.2
|
| 7 |
Requires PHP: 5.6
|
| 8 |
-
Stable tag: 1.9.
|
| 9 |
License: GPLv2 or later
|
| 10 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 11 |
|
|
@@ -72,6 +72,9 @@ They take one argument that must be returned. See below for examples:
|
|
| 72 |
|
| 73 |
== Changelog ==
|
| 74 |
|
|
|
|
|
|
|
|
|
|
| 75 |
= 1.9.5 =
|
| 76 |
* Underlying library update that fixes some security issues
|
| 77 |
|
| 5 |
Requires at least: 4.0
|
| 6 |
Tested up to: 5.2.2
|
| 7 |
Requires PHP: 5.6
|
| 8 |
+
Stable tag: 1.9.6
|
| 9 |
License: GPLv2 or later
|
| 10 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 11 |
|
| 72 |
|
| 73 |
== Changelog ==
|
| 74 |
|
| 75 |
+
= 1.9.6 =
|
| 76 |
+
* Underlying library update that fixes a security issue
|
| 77 |
+
|
| 78 |
= 1.9.5 =
|
| 79 |
* Underlying library update that fixes some security issues
|
| 80 |
|
safe-svg.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
Plugin Name: Safe SVG
|
| 4 |
Plugin URI: https://wpsvg.com/
|
| 5 |
Description: Allows SVG uploads into WordPress and sanitizes the SVG before saving it
|
| 6 |
-
Version: 1.9.
|
| 7 |
Author: Daryll Doyle
|
| 8 |
Author URI: http://enshrined.co.uk
|
| 9 |
Text Domain: safe-svg
|
| 3 |
Plugin Name: Safe SVG
|
| 4 |
Plugin URI: https://wpsvg.com/
|
| 5 |
Description: Allows SVG uploads into WordPress and sanitizes the SVG before saving it
|
| 6 |
+
Version: 1.9.6
|
| 7 |
Author: Daryll Doyle
|
| 8 |
Author URI: http://enshrined.co.uk
|
| 9 |
Text Domain: safe-svg
|
