|
12 | 12 | * @todo test and reorganise |
13 | 13 | */ |
14 | 14 |
|
| 15 | +use enshrined\svgSanitize\Sanitizer; |
| 16 | + |
15 | 17 | /** |
16 | 18 | * Changes the file name extension from .php to .phps |
17 | 19 | * Useful for securing a site. |
@@ -191,6 +193,22 @@ function process_uploaded_file($uploaded_file, $show_output = true) |
191 | 193 | return true; |
192 | 194 | } |
193 | 195 |
|
| 196 | +function sanitizeSvgFile(string $fullPath) |
| 197 | +{ |
| 198 | + $fileType = mime_content_type($fullPath); |
| 199 | + |
| 200 | + if ('image/svg+xml' !== $fileType) { |
| 201 | + return; |
| 202 | + } |
| 203 | + |
| 204 | + $svgContent = file_get_contents($fullPath); |
| 205 | + |
| 206 | + $sanitizer = new Sanitizer(); |
| 207 | + $cleanSvg = $sanitizer->sanitize($svgContent); |
| 208 | + |
| 209 | + file_put_contents($fullPath, $cleanSvg); |
| 210 | +} |
| 211 | + |
194 | 212 | /** |
195 | 213 | * This function does the save-work for the documents. |
196 | 214 | * It handles the uploaded file and adds the properties to the database |
@@ -394,6 +412,7 @@ function handle_uploaded_document( |
394 | 412 | $fileExists = file_exists($fullPath); |
395 | 413 |
|
396 | 414 | if (moveUploadedFile($uploadedFile, $fullPath)) { |
| 415 | + sanitizeSvgFile($fullPath); |
397 | 416 | chmod($fullPath, $filePermissions); |
398 | 417 |
|
399 | 418 | if ($fileExists && $docId) { |
@@ -577,6 +596,7 @@ function handle_uploaded_document( |
577 | 596 | $filePath = $uploadPath.$fileSystemName; |
578 | 597 |
|
579 | 598 | if (moveUploadedFile($uploadedFile, $fullPath)) { |
| 599 | + sanitizeSvgFile($fullPath); |
580 | 600 | chmod($fullPath, $filePermissions); |
581 | 601 | // Put the document data in the database |
582 | 602 | $documentId = add_document( |
|
0 commit comments