The filter attribute will often have things like filter="url( #foo )"
These local to the file filters in svgs should be fine (We already
disallow non-local xlink:href attributes on <filter> elements). In
fact, users can already do the exact same thing by doing:
style="filter: url( #foo )"
Bug: 67044
Change-Id: Ib25328c160c0d5ea7e01dc84616b76e1b9dcd0eb
}
# image filters can pull in url, which could be svg that executes scripts
+ # Only allow url( "#foo" ). Do not allow url( http://example.com )
if ( $strippedElement == 'image'
&& $stripped == 'filter'
- && preg_match( '!url\s*\(!sim', $value )
+ && preg_match( '!url\s*\(\s*["\']?[^#]!sim', $value )
) {
wfDebug( __METHOD__ . ": Found image filter with url: "
. "\"<$strippedElement $stripped='$value'...\" in uploaded file.\n" );
// html5sec SVG vectors
[
'<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>',
- true,
- true,
+ true, /* SVG is well formed */
+ true, /* Evil SVG detected */
'Script tag in svg (http://html5sec.org/#47)'
],
[
true,
false,
'DTD with aliased entities apos (Should be allowed)'
- ]
+ ],
+ [
+ '<svg xmlns="http://www.w3.org/2000/svg"><g filter="url( \'#foo\' )"></g></svg>',
+ true,
+ false,
+ 'SVG with local filter (T69044)'
+ ],
+ [
+ '<svg xmlns="http://www.w3.org/2000/svg"><g filter="url( http://example.com/#foo )"></g></svg>',
+ true,
+ true,
+ 'SVG with non-local filter (T69044)'
+ ],
+
];
// phpcs:enable
}