highperfocused/imgproxy
1
0
Fork 0
mirror of https://github.com/imgproxy/imgproxy.git synced 2025-09-29 04:53:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Sanitize use tag in SVG

Browse Source
This commit is contained in:
DarthSim
2023-02-25 18:56:22 +03:00
parent 947d65cf29
commit 62f8d08a93
2 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -8,6 +8,7 @@
### Change
- Make the `expires` processing option set `Expires` and `Cache-Control` headers.
- Sanitize `use` tags in SVGs.
## [3.13.2] - 2023-02-15
### Change

19
svg/svg.go
View File

@@ -35,6 +35,8 @@ func Satitize(data *imagedata.ImageData) (*imagedata.ImageData, error) {
ignoreTag := 0
var curTagName string
for {
tt, tdata := l.Next()
@@ -67,15 +69,28 @@ func Satitize(data *imagedata.ImageData) (*imagedata.ImageData, error) {
return &newData, nil
case xml.StartTagToken:
if strings.ToLower(string(l.Text())) == "script" {
curTagName = strings.ToLower(string(l.Text()))
if curTagName == "script" {
ignoreTag++
continue
}
buf.Write(tdata)
case xml.AttributeToken:
if _, unsafe := unsafeAttrs[strings.ToLower(string(l.Text()))]; unsafe {
attrName := strings.ToLower(string(l.Text()))
if _, unsafe := unsafeAttrs[attrName]; unsafe {
continue
}
if curTagName == "use" && (attrName == "href" || attrName == "xlink:href") {
val := strings.TrimSpace(strings.Trim(string(l.AttrVal()), `"'`))
if len(val) > 0 && val[0] != '#' {
continue
}
}
buf.Write(tdata)
default:
buf.Write(tdata)