Merge pull request #547 from iftakharul-islam/fix/svg-sanitization

iftakharul-islam · web-flow · commit ffdc1fae6293 · 2025-04-08T14:56:48.000+06:00
Fix/svg sanitization
diff --git a/bootstrap/loaders.php b/bootstrap/loaders.php
@@ -5,6 +5,7 @@
 use WeDevs\PM\Core\Router\WP_Router;
 use WeDevs\PM\Core\Database\Migrater;
 use WeDevs\PM\Core\WP\Frontend;
+use enshrined\svgSanitize\Sanitizer;
 
 function pm_load_configurations() {
     $files = glob( __DIR__ . "/../config/*.php" );
@@ -158,3 +159,24 @@ function pm_init_tracker() {
 
     $insights->init_plugin();
 }
+
+function pm_clean_svg() {
+    add_filter( 'wp_check_filetype_and_ext', function ( $data, $file, $filename, $mimes ) {
+        if ( $data['ext'] === 'svg' ) {
+            $sanitizer = new Sanitizer();
+            // Check if file exists and is readable
+            if ( file_exists( $file ) && is_readable( $file ) ) {
+                $dirtySVG = file_get_contents( $file );
+                if ( $dirtySVG !== false ) {
+                    $cleanSVG = $sanitizer->sanitize( $dirtySVG );
+                    // Check if sanitization was successful
+                    if ( $cleanSVG !== false && is_writable( $file ) ) {
+                        file_put_contents( $file, $cleanSVG );
+                    }
+                }
+            }
+        }
+    
+        return $data;
+    }, 10, 4 );
+}
diff --git a/bootstrap/start.php b/bootstrap/start.php
@@ -20,7 +20,7 @@
 pm_view();
 pm_load_routes();
 pm_register_routes();
-
+pm_clean_svg();
 do_action( 'pm_loaded' );
 
 add_action('init', 'pm_init_tracker');
diff --git a/changelog.txt b/changelog.txt
@@ -1,5 +1,9 @@
 == Changelog ==
 
+= v2.6.23 - Apr 8, 2025 =
+
+**Added:** SVG file upload sanitization & security improvmenet.
+
 = v2.6.22 - Mar 7, 2025 =
 
 **Improved:** Readme.txt file.
diff --git a/composer.json b/composer.json
@@ -25,7 +25,8 @@
         "a5hleyrich/wp-background-processing": "^1.0",
         "tareq1988/wp-eloquent": "dev-master",
         "appsero/client": "^1.2",
-        "simshaun/recurr": "^4.0"
+        "simshaun/recurr": "^4.0",
+        "enshrined/svg-sanitize": "^0.21.0"
     },
     "autoload": {
         "classmap": [
diff --git a/composer.lock b/composer.lock
diff --git a/config/app.php b/config/app.php
@@ -3,7 +3,7 @@
 return [
     'name'        => 'Project Manager',
     'slug'        => 'pm',
-    'version'     => '2.6.22',
+    'version'     => '2.6.23',
     'api'     	  => '2',
     'db_version'  => '2.5',
     'text_domain' => 'pm',
diff --git a/cpm.php b/cpm.php
@@ -5,7 +5,7 @@
  * Description: WordPress Project Management plugin. Manage your projects and tasks, get things done.
  * Author: weDevs
  * Author URI: https://wedevs.com
- * Version: 2.6.22
+ * Version: 2.6.23
  * Text Domain: wedevs-project-manager
  * Domain Path: /languages
  * License: GPL2
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pmapi",
-  "version": "2.6.22",
+  "version": "2.6.23",
   "description": "Front-end package manager for project manager",
   "main": "index.js",
   "directories": {
diff --git a/readme.txt b/readme.txt
@@ -5,7 +5,7 @@ Tags: project, project manager, project management, project management plugin, p
 Requires at least: 4.4 or higher
 Tested up to: 6.7.2
 Requires PHP: 5.6
-Stable tag: 2.6.22
+Stable tag: 2.6.23
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -21,7 +21,7 @@ Its user-friendly interface and web-based task management feature enable the use
 
 Why wait, effortlessly manage projects, track time, and generate performance reports with this project management solution.
 
-[youtube https://www.youtube.com/watch?v=GI4u8wXOxHg&list=PLJorZsV2RVv82Xe9ReXngU6Wk1RN0EwHu&ab\_channel=weDevs\]
+[youtube https://www.youtube.com/watch?v=GI4u8wXOxHg]
 
 Want to give it a try? 
 👉 [TRY FREE OFFICIAL DEMO](https://pm.wedevsdemos.com/wp-login.php)
@@ -243,6 +243,10 @@ A. Found any bugs? Please create an [issue](https://github.com/tareq1988/wp-proj
 
 == Changelog ==
 
+= v2.6.23 - Apr 8, 2025 =
+
+**Added:** SVG file upload sanitization & security improvmenet.
+
 = v2.6.22 - Mar 7, 2025 =
 
 **Improved:** Readme.txt file.
diff --git a/src/Comment/Controllers/Comment_Controller.php b/src/Comment/Controllers/Comment_Controller.php
@@ -80,16 +80,6 @@ public function store( WP_REST_Request $request ) {
         $commentable_id = $request->get_param('commentable_id');
     
         $files      = array_key_exists( 'files', $media_data ) ? $media_data['files'] : null;
-
-        if( HelperFile::check_file_for_xss_code( $files ) ){
-            return wp_send_json(
-                [
-                    'error_type' => 'svg_xss',
-                    'message' => __( 'The SVG file you attempted to upload contains content that may pose security risks. Please ensure your file is safe and try again.', 'pm-pro' )
-                ], 400
-            );
-            wp_die();
-        }
  
         $comment = Comment::create( $data );
 
@@ -127,16 +117,6 @@ public function update( WP_REST_Request $request ) {
         // An array of files
         $files = array_key_exists( 'files', $media_data ) ? $media_data['files'] : null;
 
-        if( HelperFile::check_file_for_xss_code( $files ) ){
-            return wp_send_json(
-                [
-                    'error_type' => 'svg_xss',
-                    'message' => __( 'The SVG file you attempted to upload contains content that may pose security risks. Please ensure your file is safe and try again.', 'pm-pro' )
-                ], 400
-            );
-            wp_die();
-        }
-
         // An array of file ids that needs to be deleted
         $files_to_delete = $request->get_param( 'files_to_delete' );
 
diff --git a/src/Discussion_Board/Controllers/Discussion_Board_Controller.php b/src/Discussion_Board/Controllers/Discussion_Board_Controller.php
@@ -75,14 +75,6 @@ public function store( WP_REST_Request $request ) {
         $milestone_id = intval( $request->get_param( 'milestone' ) );
         $files        = array_key_exists( 'files', $media_data ) ? $media_data['files'] : null;
         
-        if( HelperFile::check_file_for_xss_code( $files ) ){
-            return wp_send_json(
-                [
-                    'error_type' => 'svg_xss',
-                    'message' => __( 'The SVG file you attempted to upload contains content that may pose security risks. Please ensure your file is safe and try again.', 'pm-pro' )
-                ], 400
-            );
-        }
 
         $is_private    = $request->get_param( 'privacy' );
         $data['is_private']    = $is_private == 'true' || $is_private === true ? 1 : 0;
@@ -118,15 +110,6 @@ public function update( WP_REST_Request $request ) {
         $files               = array_key_exists( 'files', $media_data ) ? $media_data['files'] : null;
         $files_to_delete     = $request->get_param( 'files_to_delete' );
 
-        if( HelperFile::check_file_for_xss_code( $files ) ){
-            return wp_send_json(
-                [
-                    'error_type' => 'svg_xss',
-                    'message' => __( 'The SVG file you attempted to upload contains content that may pose security risks. Please ensure your file is safe and try again.', 'pm-pro' )
-                ], 400
-            );
-        }
-
         $is_private    = sanitize_text_field( $request->get_param( 'privacy' ) );
         $data['is_private']    = $is_private == 'true' || $is_private === true ? 1 : 0;
 
diff --git a/src/File/Helper/File.php b/src/File/Helper/File.php
@@ -54,27 +54,27 @@ public static function get_results( $params = [] ) {
 	}
 
 	public static function check_file_for_xss_code( $files ) {
-		if (isset($files['type']) && is_array($files['type'])) {
-	
-			foreach ($files['type'] as $index => $file_type) {
-				
-				if ($file_type === 'image/svg+xml') {
-					$svg_tmp_name = $files['tmp_name'][$index];
-					$svg_content = file_get_contents($svg_tmp_name);
-	
-					if (self::contains_xss_code($svg_content)) {
-						return true;
-					}
-				}
-			}
-		}
 
-		return false;
-	}
+        if (isset($files['type']) && is_array($files['type'])) {
+			// Check if the file is an SVG
+            foreach ($files['tmp_name'] as $index => $tmp_name) {
+                $extension = pathinfo($files['name'][$index], PATHINFO_EXTENSION);
+                if ('svg' === $extension && 'image/svg+xml' === $files['type'][$index]) {
+                    $svg_content = file_get_contents($tmp_name);
 
-    public static function contains_xss_code( $content ) {
-        $pattern = '/<script.*?>.*?<\/script>|on[a-z]+\s*=\s*["\'][^"\']*["\']/i';
+                    if (self::contains_xss_code($svg_content)) {
+                        return true;
+                    }
+                }
+            }
+
+        }
+
+        return false;
+    }
 
+    public static function contains_xss_code( $content ) {
+		$pattern = '/<script.*?>.*?<\/script>|on[a-z]+\s*=\s*["\'][^"\']*["\']|javascript\s*[:=][^"\']+|data\s*[:=][^"\']+/ix';
         return preg_match($pattern, $content);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "pmapi",`
`3`		`- "version": "2.6.22",`
	`3`	`+ "version": "2.6.23",`
`4`	`4`	`"description": "Front-end package manager for project manager",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"directories": {`