Changeset 3344112
- Timestamp:
- 08/13/2025 03:22:07 PM (8 months ago)
- Location:
- safe-svg
- Files:
-
- 22 edited
- 1 copied
-
tags/2.3.3 (copied) (copied from safe-svg/trunk)
-
tags/2.3.3/readme.txt (modified) (2 diffs)
-
tags/2.3.3/safe-svg.php (modified) (2 diffs)
-
tags/2.3.3/vendor/autoload.php (modified) (1 diff)
-
tags/2.3.3/vendor/composer/autoload_real.php (modified) (2 diffs)
-
tags/2.3.3/vendor/composer/autoload_static.php (modified) (2 diffs)
-
tags/2.3.3/vendor/composer/installed.json (modified) (3 diffs)
-
tags/2.3.3/vendor/composer/installed.php (modified) (3 diffs)
-
tags/2.3.3/vendor/composer/platform_check.php (modified) (1 diff)
-
tags/2.3.3/vendor/enshrined/svg-sanitize/src/Exceptions/NestingException.php (modified) (1 diff)
-
tags/2.3.3/vendor/enshrined/svg-sanitize/src/Sanitizer.php (modified) (4 diffs)
-
tags/2.3.3/vendor/enshrined/svg-sanitize/src/data/AllowedAttributes.php (modified) (1 diff)
-
trunk/readme.txt (modified) (2 diffs)
-
trunk/safe-svg.php (modified) (2 diffs)
-
trunk/vendor/autoload.php (modified) (1 diff)
-
trunk/vendor/composer/autoload_real.php (modified) (2 diffs)
-
trunk/vendor/composer/autoload_static.php (modified) (2 diffs)
-
trunk/vendor/composer/installed.json (modified) (3 diffs)
-
trunk/vendor/composer/installed.php (modified) (3 diffs)
-
trunk/vendor/composer/platform_check.php (modified) (1 diff)
-
trunk/vendor/enshrined/svg-sanitize/src/Exceptions/NestingException.php (modified) (1 diff)
-
trunk/vendor/enshrined/svg-sanitize/src/Sanitizer.php (modified) (4 diffs)
-
trunk/vendor/enshrined/svg-sanitize/src/data/AllowedAttributes.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
safe-svg/tags/2.3.3/readme.txt
r3331548 r3344112 3 3 Tags: svg, security, media, vector, mime 4 4 Tested up to: 6.8 5 Stable tag: 2.3. 25 Stable tag: 2.3.3 6 6 License: GPL-2.0-or-later 7 7 License URI: https://spdx.org/licenses/GPL-2.0-or-later.html … … 65 65 == Changelog == 66 66 67 = 2.3.3 - 2025-08-13 = 68 * **Security:** Update the `enshrined/svg-sanitize` package from `0.19.0` to `0.22.0` to fix an issue with case-insensitive attributes slipping through the sanitiser and address PHP 8.4 deprecation warnings (props [@darylldoyle](https://github.com/darylldoyle), [@sudar](https://github.com/sudar), [@georgestephanis](https://github.com/georgestephanis), [@dkotter](https://github.com/dkotter), [@realazizk](https://github.com/realazizk) via [#268](https://github.com/10up/safe-svg/pull/268), [#272](https://github.com/10up/safe-svg/pull/272)). 69 * **Security:** Bump `form-data` from 4.0.0 to 4.0.4 (props [@dependabot](https://github.com/apps/dependabot), [@faisal-alvi](https://github.com/faisal-alvi) via [#270](https://github.com/10up/safe-svg/pull/270)). 70 * **Security:** Bump `tmp` from 0.2.3 to 0.2.5 and `@inquirer/editor` from 4.2.9 to 4.2.16 (props [@dependabot](https://github.com/apps/dependabot), [@dkotter](https://github.com/dkotter) via [#271](https://github.com/10up/safe-svg/pull/271)). 71 67 72 = 2.3.2 - 2025-07-21 = 68 73 * **Fixed:** Visual parity between the front end and the block editor (props [@s3rgiosan](https://github.com/s3rgiosan), [@dkotter](https://github.com/dkotter) via [#261](https://github.com/10up/safe-svg/pull/261), [#266](https://github.com/10up/safe-svg/pull/266)). -
safe-svg/tags/2.3.3/safe-svg.php
r3331548 r3344112 4 4 * Plugin URI: https://wordpress.org/plugins/safe-svg/ 5 5 * Description: Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website 6 * Version: 2.3. 26 * Version: 2.3.3 7 7 * Requires at least: 6.6 8 8 * Requires PHP: 7.4 … … 25 25 } 26 26 27 define( 'SAFE_SVG_VERSION', '2.3. 2' );27 define( 'SAFE_SVG_VERSION', '2.3.3' ); 28 28 define( 'SAFE_SVG_PLUGIN_DIR', __DIR__ ); 29 29 define( 'SAFE_SVG_PLUGIN_URL', plugin_dir_url( __FILE__ ) ); -
safe-svg/tags/2.3.3/vendor/autoload.php
r3331548 r3344112 20 20 require_once __DIR__ . '/composer/autoload_real.php'; 21 21 22 return ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd386::getLoader();22 return ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4::getLoader(); -
safe-svg/tags/2.3.3/vendor/composer/autoload_real.php
r3196634 r3344112 3 3 // autoload_real.php @generated by Composer 4 4 5 class ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd3865 class ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4 6 6 { 7 7 private static $loader; … … 25 25 require __DIR__ . '/platform_check.php'; 26 26 27 spl_autoload_register(array('ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd386', 'loadClassLoader'), true, true);27 spl_autoload_register(array('ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4', 'loadClassLoader'), true, true); 28 28 self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(__DIR__)); 29 spl_autoload_unregister(array('ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd386', 'loadClassLoader'));29 spl_autoload_unregister(array('ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4', 'loadClassLoader')); 30 30 31 31 require __DIR__ . '/autoload_static.php'; 32 call_user_func(\Composer\Autoload\ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::getInitializer($loader));32 call_user_func(\Composer\Autoload\ComposerStaticInitb11636263ada0d11272a0b07c12577f4::getInitializer($loader)); 33 33 34 34 $loader->register(true); -
safe-svg/tags/2.3.3/vendor/composer/autoload_static.php
r3196634 r3344112 5 5 namespace Composer\Autoload; 6 6 7 class ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd3867 class ComposerStaticInitb11636263ada0d11272a0b07c12577f4 8 8 { 9 9 public static $prefixLengthsPsr4 = array ( … … 28 28 { 29 29 return \Closure::bind(function () use ($loader) { 30 $loader->prefixLengthsPsr4 = ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::$prefixLengthsPsr4;31 $loader->prefixDirsPsr4 = ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::$prefixDirsPsr4;32 $loader->classMap = ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::$classMap;30 $loader->prefixLengthsPsr4 = ComposerStaticInitb11636263ada0d11272a0b07c12577f4::$prefixLengthsPsr4; 31 $loader->prefixDirsPsr4 = ComposerStaticInitb11636263ada0d11272a0b07c12577f4::$prefixDirsPsr4; 32 $loader->classMap = ComposerStaticInitb11636263ada0d11272a0b07c12577f4::$classMap; 33 33 34 34 }, null, ClassLoader::class); -
safe-svg/tags/2.3.3/vendor/composer/installed.json
r3196634 r3344112 3 3 { 4 4 "name": "enshrined/svg-sanitize", 5 "version": "0. 19.0",6 "version_normalized": "0. 19.0.0",5 "version": "0.22.0", 6 "version_normalized": "0.22.0.0", 7 7 "source": { 8 8 "type": "git", 9 9 "url": "https://github.com/darylldoyle/svg-sanitizer.git", 10 "reference": " e95cd17be68e45f523cbfb0fe50cdd891b0cf20e"10 "reference": "0afa95ea74be155a7bcd6c6fb60c276c39984500" 11 11 }, 12 12 "dist": { 13 13 "type": "zip", 14 "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/ e95cd17be68e45f523cbfb0fe50cdd891b0cf20e",15 "reference": " e95cd17be68e45f523cbfb0fe50cdd891b0cf20e",14 "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/0afa95ea74be155a7bcd6c6fb60c276c39984500", 15 "reference": "0afa95ea74be155a7bcd6c6fb60c276c39984500", 16 16 "shasum": "" 17 17 }, … … 19 19 "ext-dom": "*", 20 20 "ext-libxml": "*", 21 "php": "^ 5.6 || ^7.0|| ^8.0"21 "php": "^7.1 || ^8.0" 22 22 }, 23 23 "require-dev": { 24 "phpunit/phpunit": "^ 5.7 || ^6.5 || ^8.5"24 "phpunit/phpunit": "^6.5 || ^8.5" 25 25 }, 26 "time": "202 4-06-18T10:27:15+00:00",26 "time": "2025-08-12T10:13:48+00:00", 27 27 "type": "library", 28 28 "installation-source": "dist", … … 45 45 "support": { 46 46 "issues": "https://github.com/darylldoyle/svg-sanitizer/issues", 47 "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0. 19.0"47 "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0.22.0" 48 48 }, 49 49 "install-path": "../enshrined/svg-sanitize" -
safe-svg/tags/2.3.3/vendor/composer/installed.php
r3331548 r3344112 2 2 'root' => array( 3 3 'name' => 'darylldoyle/safe-svg', 4 'pretty_version' => '2.3. 2',5 'version' => '2.3. 2.0',6 'reference' => ' b16407502325e4ebc6161b4aa07ea96547a7f0f8',4 'pretty_version' => '2.3.3', 5 'version' => '2.3.3.0', 6 'reference' => 'ebd92026e3e054c7aa60a0e8fabf1741801bb603', 7 7 'type' => 'wordpress-plugin', 8 8 'install_path' => __DIR__ . '/../../', … … 12 12 'versions' => array( 13 13 'darylldoyle/safe-svg' => array( 14 'pretty_version' => '2.3. 2',15 'version' => '2.3. 2.0',16 'reference' => ' b16407502325e4ebc6161b4aa07ea96547a7f0f8',14 'pretty_version' => '2.3.3', 15 'version' => '2.3.3.0', 16 'reference' => 'ebd92026e3e054c7aa60a0e8fabf1741801bb603', 17 17 'type' => 'wordpress-plugin', 18 18 'install_path' => __DIR__ . '/../../', … … 21 21 ), 22 22 'enshrined/svg-sanitize' => array( 23 'pretty_version' => '0. 19.0',24 'version' => '0. 19.0.0',25 'reference' => ' e95cd17be68e45f523cbfb0fe50cdd891b0cf20e',23 'pretty_version' => '0.22.0', 24 'version' => '0.22.0.0', 25 'reference' => '0afa95ea74be155a7bcd6c6fb60c276c39984500', 26 26 'type' => 'library', 27 27 'install_path' => __DIR__ . '/../enshrined/svg-sanitize', -
safe-svg/tags/2.3.3/vendor/composer/platform_check.php
r2885114 r3344112 20 20 } 21 21 } 22 trigger_error( 23 'Composer detected issues in your platform: ' . implode(' ', $issues), 24 E_USER_ERROR 22 throw new \RuntimeException( 23 'Composer detected issues in your platform: ' . implode(' ', $issues) 25 24 ); 26 25 } -
safe-svg/tags/2.3.3/vendor/enshrined/svg-sanitize/src/Exceptions/NestingException.php
r2683939 r3344112 19 19 * @param \DOMElement|null $element 20 20 */ 21 public function __construct($message = "", $code = 0, Exception $previous = null,\DOMElement $element = null)21 public function __construct($message = "", $code = 0, ?Exception $previous = null, ?\DOMElement $element = null) 22 22 { 23 23 $this->element = $element; -
safe-svg/tags/2.3.3/vendor/enshrined/svg-sanitize/src/Sanitizer.php
r3196634 r3344112 221 221 } 222 222 223 // Strip php tags 224 $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty); 223 do { 224 /* 225 * recursively remove php tags because they can be hidden inside tags 226 * i.e. <?p<?php test?>hp echo . ' danger! ';?> 227 */ 228 $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty); 229 } while (preg_match('/<\?(=|php)(.+?)\?>/i', $dirty) != 0); 225 230 226 231 $this->resetInternal(); … … 417 422 * We have to do this as the link is still ran in this case. 418 423 */ 419 if (false !== str pos($attrName, 'href')) {424 if (false !== stripos($attrName, 'href')) { 420 425 $href = $element->getAttribute($attrName); 421 426 if (false === $this->isHrefSafeValue($href)) { … … 449 454 protected function cleanXlinkHrefs(\DOMElement $element) 450 455 { 451 $xlinks = $element->getAttributeNS('http://www.w3.org/1999/xlink', 'href'); 452 if (false === $this->isHrefSafeValue($xlinks)) { 453 $element->removeAttributeNS( 'http://www.w3.org/1999/xlink', 'href' ); 454 $this->xmlIssues[] = array( 455 'message' => 'Suspicious attribute \'href\'', 456 'line' => $element->getLineNo(), 457 ); 458 } 456 foreach ($element->attributes as $attribute) { 457 // remove attributes with unexpected namespace prefix, e.g. `XLinK:href` (instead of `xlink:href`) 458 if ($attribute->prefix === '' && strtolower($attribute->nodeName) === 'xlink:href') { 459 $element->removeAttribute($attribute->nodeName); 460 $this->xmlIssues[] = array( 461 'message' => sprintf('Unexpected attribute \'%s\'', $attribute->nodeName), 462 'line' => $element->getLineNo(), 463 ); 464 } 465 } 466 $this->cleanHrefAttributes($element, 'xlink'); 459 467 } 460 468 … … 466 474 protected function cleanHrefs(\DOMElement $element) 467 475 { 468 $href = $element->getAttribute('href'); 469 if (false === $this->isHrefSafeValue($href)) { 470 $element->removeAttribute('href'); 471 $this->xmlIssues[] = array( 472 'message' => 'Suspicious attribute \'href\'', 473 'line' => $element->getLineNo(), 474 ); 476 $this->cleanHrefAttributes($element); 477 } 478 479 protected function cleanHrefAttributes(\DOMElement $element, string $prefix = ''): void 480 { 481 $relevantAttributes = array_filter( 482 iterator_to_array($element->attributes), 483 static function (\DOMAttr $attr) use ($prefix) { 484 return strtolower($attr->name) === 'href' && strtolower($attr->prefix) === $prefix; 485 } 486 ); 487 foreach ($relevantAttributes as $attribute) { 488 if (!$this->isHrefSafeValue($attribute->value)) { 489 $element->removeAttribute($attribute->nodeName); 490 $this->xmlIssues[] = array( 491 'message' => sprintf('Suspicious attribute \'%s\'', $attribute->nodeName), 492 'line' => $element->getLineNo(), 493 ); 494 continue; 495 } 496 // in case the attribute name is `HrEf`/`xlink:HrEf`, adjust it to `href`/`xlink:href` 497 if (!in_array($attribute->nodeName, $this->allowedAttrs, true) 498 && in_array(strtolower($attribute->nodeName), $this->allowedAttrs, true) 499 ) { 500 $element->removeAttribute($attribute->nodeName); 501 $element->setAttribute(strtolower($attribute->nodeName), $attribute->value); 502 } 475 503 } 476 504 } -
safe-svg/tags/2.3.3/vendor/enshrined/svg-sanitize/src/data/AllowedAttributes.php
r2885114 r3344112 144 144 'display', 145 145 'divisor', 146 'dominant-baseline', 146 147 'dur', 147 148 'edgemode', -
safe-svg/trunk/readme.txt
r3331548 r3344112 3 3 Tags: svg, security, media, vector, mime 4 4 Tested up to: 6.8 5 Stable tag: 2.3. 25 Stable tag: 2.3.3 6 6 License: GPL-2.0-or-later 7 7 License URI: https://spdx.org/licenses/GPL-2.0-or-later.html … … 65 65 == Changelog == 66 66 67 = 2.3.3 - 2025-08-13 = 68 * **Security:** Update the `enshrined/svg-sanitize` package from `0.19.0` to `0.22.0` to fix an issue with case-insensitive attributes slipping through the sanitiser and address PHP 8.4 deprecation warnings (props [@darylldoyle](https://github.com/darylldoyle), [@sudar](https://github.com/sudar), [@georgestephanis](https://github.com/georgestephanis), [@dkotter](https://github.com/dkotter), [@realazizk](https://github.com/realazizk) via [#268](https://github.com/10up/safe-svg/pull/268), [#272](https://github.com/10up/safe-svg/pull/272)). 69 * **Security:** Bump `form-data` from 4.0.0 to 4.0.4 (props [@dependabot](https://github.com/apps/dependabot), [@faisal-alvi](https://github.com/faisal-alvi) via [#270](https://github.com/10up/safe-svg/pull/270)). 70 * **Security:** Bump `tmp` from 0.2.3 to 0.2.5 and `@inquirer/editor` from 4.2.9 to 4.2.16 (props [@dependabot](https://github.com/apps/dependabot), [@dkotter](https://github.com/dkotter) via [#271](https://github.com/10up/safe-svg/pull/271)). 71 67 72 = 2.3.2 - 2025-07-21 = 68 73 * **Fixed:** Visual parity between the front end and the block editor (props [@s3rgiosan](https://github.com/s3rgiosan), [@dkotter](https://github.com/dkotter) via [#261](https://github.com/10up/safe-svg/pull/261), [#266](https://github.com/10up/safe-svg/pull/266)). -
safe-svg/trunk/safe-svg.php
r3331548 r3344112 4 4 * Plugin URI: https://wordpress.org/plugins/safe-svg/ 5 5 * Description: Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website 6 * Version: 2.3. 26 * Version: 2.3.3 7 7 * Requires at least: 6.6 8 8 * Requires PHP: 7.4 … … 25 25 } 26 26 27 define( 'SAFE_SVG_VERSION', '2.3. 2' );27 define( 'SAFE_SVG_VERSION', '2.3.3' ); 28 28 define( 'SAFE_SVG_PLUGIN_DIR', __DIR__ ); 29 29 define( 'SAFE_SVG_PLUGIN_URL', plugin_dir_url( __FILE__ ) ); -
safe-svg/trunk/vendor/autoload.php
r3331548 r3344112 20 20 require_once __DIR__ . '/composer/autoload_real.php'; 21 21 22 return ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd386::getLoader();22 return ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4::getLoader(); -
safe-svg/trunk/vendor/composer/autoload_real.php
r3196634 r3344112 3 3 // autoload_real.php @generated by Composer 4 4 5 class ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd3865 class ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4 6 6 { 7 7 private static $loader; … … 25 25 require __DIR__ . '/platform_check.php'; 26 26 27 spl_autoload_register(array('ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd386', 'loadClassLoader'), true, true);27 spl_autoload_register(array('ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4', 'loadClassLoader'), true, true); 28 28 self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(__DIR__)); 29 spl_autoload_unregister(array('ComposerAutoloaderInit 0b1915d0293125b9288aa7a40c5cd386', 'loadClassLoader'));29 spl_autoload_unregister(array('ComposerAutoloaderInitb11636263ada0d11272a0b07c12577f4', 'loadClassLoader')); 30 30 31 31 require __DIR__ . '/autoload_static.php'; 32 call_user_func(\Composer\Autoload\ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::getInitializer($loader));32 call_user_func(\Composer\Autoload\ComposerStaticInitb11636263ada0d11272a0b07c12577f4::getInitializer($loader)); 33 33 34 34 $loader->register(true); -
safe-svg/trunk/vendor/composer/autoload_static.php
r3196634 r3344112 5 5 namespace Composer\Autoload; 6 6 7 class ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd3867 class ComposerStaticInitb11636263ada0d11272a0b07c12577f4 8 8 { 9 9 public static $prefixLengthsPsr4 = array ( … … 28 28 { 29 29 return \Closure::bind(function () use ($loader) { 30 $loader->prefixLengthsPsr4 = ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::$prefixLengthsPsr4;31 $loader->prefixDirsPsr4 = ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::$prefixDirsPsr4;32 $loader->classMap = ComposerStaticInit 0b1915d0293125b9288aa7a40c5cd386::$classMap;30 $loader->prefixLengthsPsr4 = ComposerStaticInitb11636263ada0d11272a0b07c12577f4::$prefixLengthsPsr4; 31 $loader->prefixDirsPsr4 = ComposerStaticInitb11636263ada0d11272a0b07c12577f4::$prefixDirsPsr4; 32 $loader->classMap = ComposerStaticInitb11636263ada0d11272a0b07c12577f4::$classMap; 33 33 34 34 }, null, ClassLoader::class); -
safe-svg/trunk/vendor/composer/installed.json
r3196634 r3344112 3 3 { 4 4 "name": "enshrined/svg-sanitize", 5 "version": "0. 19.0",6 "version_normalized": "0. 19.0.0",5 "version": "0.22.0", 6 "version_normalized": "0.22.0.0", 7 7 "source": { 8 8 "type": "git", 9 9 "url": "https://github.com/darylldoyle/svg-sanitizer.git", 10 "reference": " e95cd17be68e45f523cbfb0fe50cdd891b0cf20e"10 "reference": "0afa95ea74be155a7bcd6c6fb60c276c39984500" 11 11 }, 12 12 "dist": { 13 13 "type": "zip", 14 "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/ e95cd17be68e45f523cbfb0fe50cdd891b0cf20e",15 "reference": " e95cd17be68e45f523cbfb0fe50cdd891b0cf20e",14 "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/0afa95ea74be155a7bcd6c6fb60c276c39984500", 15 "reference": "0afa95ea74be155a7bcd6c6fb60c276c39984500", 16 16 "shasum": "" 17 17 }, … … 19 19 "ext-dom": "*", 20 20 "ext-libxml": "*", 21 "php": "^ 5.6 || ^7.0|| ^8.0"21 "php": "^7.1 || ^8.0" 22 22 }, 23 23 "require-dev": { 24 "phpunit/phpunit": "^ 5.7 || ^6.5 || ^8.5"24 "phpunit/phpunit": "^6.5 || ^8.5" 25 25 }, 26 "time": "202 4-06-18T10:27:15+00:00",26 "time": "2025-08-12T10:13:48+00:00", 27 27 "type": "library", 28 28 "installation-source": "dist", … … 45 45 "support": { 46 46 "issues": "https://github.com/darylldoyle/svg-sanitizer/issues", 47 "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0. 19.0"47 "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0.22.0" 48 48 }, 49 49 "install-path": "../enshrined/svg-sanitize" -
safe-svg/trunk/vendor/composer/installed.php
r3331548 r3344112 2 2 'root' => array( 3 3 'name' => 'darylldoyle/safe-svg', 4 'pretty_version' => '2.3. 2',5 'version' => '2.3. 2.0',6 'reference' => ' b16407502325e4ebc6161b4aa07ea96547a7f0f8',4 'pretty_version' => '2.3.3', 5 'version' => '2.3.3.0', 6 'reference' => 'ebd92026e3e054c7aa60a0e8fabf1741801bb603', 7 7 'type' => 'wordpress-plugin', 8 8 'install_path' => __DIR__ . '/../../', … … 12 12 'versions' => array( 13 13 'darylldoyle/safe-svg' => array( 14 'pretty_version' => '2.3. 2',15 'version' => '2.3. 2.0',16 'reference' => ' b16407502325e4ebc6161b4aa07ea96547a7f0f8',14 'pretty_version' => '2.3.3', 15 'version' => '2.3.3.0', 16 'reference' => 'ebd92026e3e054c7aa60a0e8fabf1741801bb603', 17 17 'type' => 'wordpress-plugin', 18 18 'install_path' => __DIR__ . '/../../', … … 21 21 ), 22 22 'enshrined/svg-sanitize' => array( 23 'pretty_version' => '0. 19.0',24 'version' => '0. 19.0.0',25 'reference' => ' e95cd17be68e45f523cbfb0fe50cdd891b0cf20e',23 'pretty_version' => '0.22.0', 24 'version' => '0.22.0.0', 25 'reference' => '0afa95ea74be155a7bcd6c6fb60c276c39984500', 26 26 'type' => 'library', 27 27 'install_path' => __DIR__ . '/../enshrined/svg-sanitize', -
safe-svg/trunk/vendor/composer/platform_check.php
r2885114 r3344112 20 20 } 21 21 } 22 trigger_error( 23 'Composer detected issues in your platform: ' . implode(' ', $issues), 24 E_USER_ERROR 22 throw new \RuntimeException( 23 'Composer detected issues in your platform: ' . implode(' ', $issues) 25 24 ); 26 25 } -
safe-svg/trunk/vendor/enshrined/svg-sanitize/src/Exceptions/NestingException.php
r2683939 r3344112 19 19 * @param \DOMElement|null $element 20 20 */ 21 public function __construct($message = "", $code = 0, Exception $previous = null,\DOMElement $element = null)21 public function __construct($message = "", $code = 0, ?Exception $previous = null, ?\DOMElement $element = null) 22 22 { 23 23 $this->element = $element; -
safe-svg/trunk/vendor/enshrined/svg-sanitize/src/Sanitizer.php
r3196634 r3344112 221 221 } 222 222 223 // Strip php tags 224 $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty); 223 do { 224 /* 225 * recursively remove php tags because they can be hidden inside tags 226 * i.e. <?p<?php test?>hp echo . ' danger! ';?> 227 */ 228 $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty); 229 } while (preg_match('/<\?(=|php)(.+?)\?>/i', $dirty) != 0); 225 230 226 231 $this->resetInternal(); … … 417 422 * We have to do this as the link is still ran in this case. 418 423 */ 419 if (false !== str pos($attrName, 'href')) {424 if (false !== stripos($attrName, 'href')) { 420 425 $href = $element->getAttribute($attrName); 421 426 if (false === $this->isHrefSafeValue($href)) { … … 449 454 protected function cleanXlinkHrefs(\DOMElement $element) 450 455 { 451 $xlinks = $element->getAttributeNS('http://www.w3.org/1999/xlink', 'href'); 452 if (false === $this->isHrefSafeValue($xlinks)) { 453 $element->removeAttributeNS( 'http://www.w3.org/1999/xlink', 'href' ); 454 $this->xmlIssues[] = array( 455 'message' => 'Suspicious attribute \'href\'', 456 'line' => $element->getLineNo(), 457 ); 458 } 456 foreach ($element->attributes as $attribute) { 457 // remove attributes with unexpected namespace prefix, e.g. `XLinK:href` (instead of `xlink:href`) 458 if ($attribute->prefix === '' && strtolower($attribute->nodeName) === 'xlink:href') { 459 $element->removeAttribute($attribute->nodeName); 460 $this->xmlIssues[] = array( 461 'message' => sprintf('Unexpected attribute \'%s\'', $attribute->nodeName), 462 'line' => $element->getLineNo(), 463 ); 464 } 465 } 466 $this->cleanHrefAttributes($element, 'xlink'); 459 467 } 460 468 … … 466 474 protected function cleanHrefs(\DOMElement $element) 467 475 { 468 $href = $element->getAttribute('href'); 469 if (false === $this->isHrefSafeValue($href)) { 470 $element->removeAttribute('href'); 471 $this->xmlIssues[] = array( 472 'message' => 'Suspicious attribute \'href\'', 473 'line' => $element->getLineNo(), 474 ); 476 $this->cleanHrefAttributes($element); 477 } 478 479 protected function cleanHrefAttributes(\DOMElement $element, string $prefix = ''): void 480 { 481 $relevantAttributes = array_filter( 482 iterator_to_array($element->attributes), 483 static function (\DOMAttr $attr) use ($prefix) { 484 return strtolower($attr->name) === 'href' && strtolower($attr->prefix) === $prefix; 485 } 486 ); 487 foreach ($relevantAttributes as $attribute) { 488 if (!$this->isHrefSafeValue($attribute->value)) { 489 $element->removeAttribute($attribute->nodeName); 490 $this->xmlIssues[] = array( 491 'message' => sprintf('Suspicious attribute \'%s\'', $attribute->nodeName), 492 'line' => $element->getLineNo(), 493 ); 494 continue; 495 } 496 // in case the attribute name is `HrEf`/`xlink:HrEf`, adjust it to `href`/`xlink:href` 497 if (!in_array($attribute->nodeName, $this->allowedAttrs, true) 498 && in_array(strtolower($attribute->nodeName), $this->allowedAttrs, true) 499 ) { 500 $element->removeAttribute($attribute->nodeName); 501 $element->setAttribute(strtolower($attribute->nodeName), $attribute->value); 502 } 475 503 } 476 504 } -
safe-svg/trunk/vendor/enshrined/svg-sanitize/src/data/AllowedAttributes.php
r2885114 r3344112 144 144 'display', 145 145 'divisor', 146 'dominant-baseline', 146 147 'dur', 147 148 'edgemode',
Note: See TracChangeset
for help on using the changeset viewer.