Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2026-01-29 02:40:07 +01:00
Code Issues Packages Projects Releases Activity

Added Security::sanitizeSVG function + update CHANGELOG

Browse Source
This commit is contained in:
Andy Miller
2019-09-03 11:53:25 -06:00
parent ca2f657c98
commit 45b1b0a2ef
4 changed files with 70 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -1,8 +1,13 @@
# v1.7.0-beta.8
## mm/dd/2019
1. [](#new)
* Added new `Security::sanitizeSVG()` function
1. [](#improved)
* Several FlexObject loading improvements
1. [](#bugfix)
* Regression: Fixed language fallback
* Regression: Allow SVG avatar images for users
# v1.7.0-beta.7
## 08/30/2019

3
composer.json
View File

@@ -51,7 +51,8 @@
"dragonmantank/cron-expression": "^1.2",
"phive/twig-extensions-deferred": "^1.0",
"willdurand/negotiation": "^2.3",
"itsgoingd/clockwork": "~4.0"
"itsgoingd/clockwork": "~4.0",
"enshrined/svg-sanitize": "^0.10.0"
},
"require-dev": {
"codeception/codeception": "^2.4",

39
composer.lock generated
View File

@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "fe6ec382807a811a027202be339f8384",
"content-hash": "651a29a09418144e8b0d47bade1e807f",
"packages": [
{
"name": "antoligy/dom-string-iterators",
@@ -346,6 +346,43 @@
],
"time": "2017-01-23T04:29:33+00:00"
},
{
"name": "enshrined/svg-sanitize",
"version": "0.10.0",
"source": {
"type": "git",
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
"reference": "5344d8511e494adf160f71f4b34024d3a3c66c82"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/5344d8511e494adf160f71f4b34024d3a3c66c82",
"reference": "5344d8511e494adf160f71f4b34024d3a3c66c82",
"shasum": ""
},
"require-dev": {
"codeclimate/php-test-reporter": "^0.1.2",
"phpunit/phpunit": "^6"
},
"type": "library",
"autoload": {
"psr-4": {
"enshrined\\svgSanitize\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"GPL-2.0+"
],
"authors": [
{
"name": "Daryll Doyle",
"email": "daryll@enshrined.co.uk"
}
],
"description": "An SVG sanitizer for PHP",
"time": "2019-01-11T12:31:32+00:00"
},
{
"name": "erusev/parsedown",
"version": "1.6.4",

26
system/src/Grav/Common/Security.php
View File

@@ -9,11 +9,33 @@
namespace Grav\Common;
use enshrined\svgSanitize\Sanitizer;
use Grav\Common\Page\Pages;
class Security
{
/**
* Sanitize SVG for XSS code
*
* @param $file
*/
public static function sanitizeSVG($file)
{
$sanitizer = new Sanitizer();
$original_svg = file_get_contents($file);
$clean_svg = $sanitizer->sanitize($original_svg);
file_put_contents($file, $clean_svg);
}
/**
* Detect XSS code in Grav pages
*
* @param Pages $pages
* @param bool $route
* @param callable|null $status
* @return array
*/
public static function detectXssFromPages(Pages $pages, $route = true, callable $status = null)
{
$routes = $pages->routes();
@@ -51,7 +73,6 @@ class Security
} else {
$list[$page->filePathClean()] = $results;
}
}
} catch (\Exception $e) {
@@ -63,6 +84,8 @@ class Security
}
/**
* Detect XSS in an array or strings such as $_POST or $_GET
*
* @param array $array Array such as $_POST or $_GET
* @param string $prefix Prefix for returned values.
* @return array Returns flatten list of potentially dangerous input values, such as 'data.content'.
@@ -89,6 +112,7 @@ class Security
/**
* Determine if string potentially has a XSS attack. This simple function does not catch all XSS and it is likely to
*
* return false positives because of it tags all potentially dangerous HTML tags and attributes without looking into
* their content.
*