Headline
CVE-2022-0970: Added XSS check for uploaded SVG files before they get stored · getgrav/grav@f19297d
Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
@@ -25,6 +25,22 @@
*/
class Security
{
/**
* @param string $filepath
* @param array|null $options
* @return string|null
*/
public static function detectXssFromSvgFile(string $filepath, array $options = null): ?string
{
if (file_exists($filepath) && Grav::instance()[‘config’]->get(‘security.sanitize_svg’)) {
$content = file_get_contents($filepath);
return static::detectXss($content, $options);
}
return null;
}
/**
* Sanitize SVG string for XSS code
*
@@ -200,7 +216,7 @@ public static function detectXss($string, array $options = null): ?string
}, $string);
// Clean up entities
$string = preg_replace('!(&#[0-9]+)!u’, '$1;’, $string);
$string = preg_replace('!(&#[0-9]+);?!u’, '$1;’, $string);
// Decode entities
$string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, ‘UTF-8’);