diff --git a/app/Libraries/HTMLUtils.php b/app/Libraries/HTMLUtils.php
index 3fc7b5957bbb..51dcf9b8964c 100644
--- a/app/Libraries/HTMLUtils.php
+++ b/app/Libraries/HTMLUtils.php
@@ -4,6 +4,7 @@ namespace App\Libraries;
use HTMLPurifier;
use HTMLPurifier_Config;
+use enshrined\svgSanitize\Sanitizer;
class HTMLUtils
{
@@ -74,4 +75,15 @@ class HTMLUtils
return env($key, env($field, $default));
}
+
+ public static function sanitizeSVG($svg)
+ {
+ try {
+ $sanitizer = new Sanitizer();
+
+ return $sanitizer->sanitize($svg);
+ } catch(\Exception $e) {
+ return "";
+ }
+ }
}
diff --git a/app/Ninja/Repositories/DocumentRepository.php b/app/Ninja/Repositories/DocumentRepository.php
index e470348a3a45..cf48d3406491 100644
--- a/app/Ninja/Repositories/DocumentRepository.php
+++ b/app/Ninja/Repositories/DocumentRepository.php
@@ -7,6 +7,7 @@ use DB;
use Form;
use Intervention\Image\ImageManager;
use Utils;
+use App\Libraries\HTMLUtils;
class DocumentRepository extends BaseRepository
{
@@ -83,6 +84,14 @@ class DocumentRepository extends BaseRepository
return 'File too large';
}
+ if($documentType === 'svg') {
+ $stream = file_get_contents($filePath);
+ if(!($stream = HTMLUtils::sanitizeSVG($stream))) {
+ return 'Unsupported file type';
+ }
+ file_put_contents($filePath, $stream);
+ }
+
// don't allow a document to be linked to both an invoice and an expense
if (array_get($data, 'invoice_id') && array_get($data, 'expense_id')) {
unset($data['expense_id']);
diff --git a/composer.json b/composer.json
index 0fc0b4235604..46589d4c4815 100644
--- a/composer.json
+++ b/composer.json
@@ -44,6 +44,7 @@
"digitickets/omnipay-realex": "~5.0",
"doctrine/dbal": "2.6.x",
"dompdf/dompdf": "0.6.2",
+ "enshrined/svg-sanitize": "^0.14.1",
"ezyang/htmlpurifier": "~v4.7",
"fotografde/omnipay-checkoutcom": "~2.0",
"fruitcakestudio/omnipay-sisow": "~2.0",