diff --git a/app/Libraries/HTMLUtils.php b/app/Libraries/HTMLUtils.php index 3fc7b5957bbb..51dcf9b8964c 100644 --- a/app/Libraries/HTMLUtils.php +++ b/app/Libraries/HTMLUtils.php @@ -4,6 +4,7 @@ namespace App\Libraries; use HTMLPurifier; use HTMLPurifier_Config; +use enshrined\svgSanitize\Sanitizer; class HTMLUtils { @@ -74,4 +75,15 @@ class HTMLUtils return env($key, env($field, $default)); } + + public static function sanitizeSVG($svg) + { + try { + $sanitizer = new Sanitizer(); + + return $sanitizer->sanitize($svg); + } catch(\Exception $e) { + return ""; + } + } } diff --git a/app/Ninja/Repositories/DocumentRepository.php b/app/Ninja/Repositories/DocumentRepository.php index e470348a3a45..cf48d3406491 100644 --- a/app/Ninja/Repositories/DocumentRepository.php +++ b/app/Ninja/Repositories/DocumentRepository.php @@ -7,6 +7,7 @@ use DB; use Form; use Intervention\Image\ImageManager; use Utils; +use App\Libraries\HTMLUtils; class DocumentRepository extends BaseRepository { @@ -83,6 +84,14 @@ class DocumentRepository extends BaseRepository return 'File too large'; } + if($documentType === 'svg') { + $stream = file_get_contents($filePath); + if(!($stream = HTMLUtils::sanitizeSVG($stream))) { + return 'Unsupported file type'; + } + file_put_contents($filePath, $stream); + } + // don't allow a document to be linked to both an invoice and an expense if (array_get($data, 'invoice_id') && array_get($data, 'expense_id')) { unset($data['expense_id']); diff --git a/composer.json b/composer.json index 0fc0b4235604..46589d4c4815 100644 --- a/composer.json +++ b/composer.json @@ -44,6 +44,7 @@ "digitickets/omnipay-realex": "~5.0", "doctrine/dbal": "2.6.x", "dompdf/dompdf": "0.6.2", + "enshrined/svg-sanitize": "^0.14.1", "ezyang/htmlpurifier": "~v4.7", "fotografde/omnipay-checkoutcom": "~2.0", "fruitcakestudio/omnipay-sisow": "~2.0",