CFP-68 - Sanitized SVG content to fix Cross-Site Scripting issues

README.md

@@ -4,7 +4,7 @@
 **Tags:** typography, fonts, custom fonts, Google Fonts, performance, privacy, full site editing, adobe fonts, GDPR  
 **Requires at least:** 5.0  
 **Tested up to:** 6.5  
-**Stable tag:** 2.1.4  
+**Stable tag:** 2.1.5  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
 
@@ -151,6 +151,9 @@ Yes, Custom Fonts is completely free to use, without any limitation.
 
 
 ## Changelog ##
+### 2.1.5 ###
+- Improved codebase for improved security.
+
 ### 2.1.4 ###
 - Improvement: Compatibility with WordPress 6.5.
 

admin/dashboard/assets/src/dashboard-app/pages/fonts/LocalFont.js

@@ -44,12 +44,26 @@ const LocalVariationItem = ({
 				}
 			);
 
-			//loop through the array and do things with each attachment
+			//loop through the array and do things with each attachment & Validate file extensions.
 			let fontFileNames = [];
 			for (let i = 0; i < attachments.length; ++i) {
-				fontFileNames.push(attachments[i].attributes.url);
+				// Check if the file extension is allowed
+				const allowedExtensions = ['.ttf', '.otf', '.woff', '.woff2', '.eot', '.svg'];
+				const fileName = attachments[i].attributes.url.toLowerCase();
+				const extension = fileName.substr(fileName.lastIndexOf('.'));
+				if (allowedExtensions.includes(extension)) {
+					fontFileNames.push(attachments[i].attributes.url);
+				} else {
+					// Reject the file upload and display an error message
+					alert(
+						__(
+							"Invalid file type. Only .ttf, .otf, .woff, .woff2, .svg files are allowed.",
+							"custom-fonts"
+						)
+					);
+					return;
+				}
 			}
-
 			setFontFileName( fontFileNames );
 			handleVariationChange(
 				event,
@@ -58,10 +72,9 @@ const LocalVariationItem = ({
 				fontFileNames
 			);
 		});
-
 		// Finally, open the modal on click
 		frame.open();
-	}
+	};
 
 	const expandFileField = (e) => {
 		e.preventDefault();

admin/dashboard/assets/src/dashboard-app/pages/fonts/edit/EditLocalFont.js

@@ -49,12 +49,26 @@ const EditLocalVariationItem = ({
 				}
 			);
 
-			//loop through the array and do things with each attachment
+			//loop through the array and do things with each attachment & Validate file extensions.
 			let fontFileNames = [];
 			for (let i = 0; i < attachments.length; ++i) {
-				fontFileNames.push(attachments[i].attributes.url);
+				// Check if the file extension is allowed
+				const allowedExtensions = ['.ttf', '.otf', '.woff', '.woff2', '.eot', '.svg'];
+				const fileName = attachments[i].attributes.url.toLowerCase();
+				const extension = fileName.substr(fileName.lastIndexOf('.'));
+				if (allowedExtensions.includes(extension)) {
+					fontFileNames.push(attachments[i].attributes.url);
+				} else {
+					// Reject the file upload and display an error message
+					alert(
+						__(
+							'Invalid file type. Only .ttf, .otf, .woff, .woff2, .svg files are allowed.',
+							'custom-fonts'
+						)
+					);
+					return;
+				}
 			}
-
 			setFontFileName( fontFileNames );
 			handleVariationChange(
 				event,
@@ -63,10 +77,9 @@ const EditLocalVariationItem = ({
 				fontFileNames
 			);
 		});
-
 		// Finally, open the modal on click
 		frame.open();
-	}
+	};
 
 	const expandFileField = (e) => {
 		e.preventDefault();