[4.x] Ability to disable SVG sanitization on upload (#9839)

Co-authored-by: Jason Varga <[email protected]>
statamic · Apr 8, 2024 · 73db351 · 73db351
1 parent 2ff5db1
commit 73db351
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/config/assets.php b/config/assets.php
@@ -222,4 +222,17 @@
 
     'additional_uploadable_extensions' => [],
 
+    /*
+    |--------------------------------------------------------------------------
+    | SVG Sanitization
+    |--------------------------------------------------------------------------
+    |
+    | Statamic will automatically sanitize SVG files when uploaded to avoid
+    | potential security issues. However, if you have a valid reason for
+    | disabling this, and you trust your users, you may do so here.
+    |
+    */
+
+    'svg_sanitization_on_upload' => true,
+
 ];
diff --git a/src/Assets/Uploader.php b/src/Assets/Uploader.php
@@ -58,7 +58,7 @@ private function write($sourcePath, $destinationPath)
     {
         $stream = fopen($sourcePath, 'r');
 
-        if (Str::endsWith($destinationPath, '.svg')) {
+        if (config('statamic.assets.svg_sanitization_on_upload', true) && Str::endsWith($destinationPath, '.svg')) {
             $sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
             $stream = $sanitizer->sanitize($svg = stream_get_contents($stream), [
                 'remove-xml-tags' => ! Str::startsWith($svg, '<?xml'),

diff --git a/tests/Assets/AssetTest.php b/tests/Assets/AssetTest.php
@@ -1816,6 +1816,30 @@ public function it_sanitizes_svgs_on_upload()
         $this->assertStringNotContainsString('</script>', $asset->contents());
     }
 
+    /** @test */
+    public function it_does_not_sanitizes_svgs_on_upload_when_behaviour_is_disabled()
+    {
+        Event::fake();
+
+        config()->set('statamic.assets.svg_sanitization_on_upload', false);
+
+        $asset = (new Asset)->container($this->container)->path('path/to/asset.svg')->syncOriginal();
+
+        Facades\AssetContainer::shouldReceive('findByHandle')->with('test_container')->andReturn($this->container);
+        Storage::disk('test')->assertMissing('path/to/asset.svg');
+
+        $return = $asset->upload(UploadedFile::fake()->createWithContent('asset.svg', '<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" width="500" height="500"><script type="text/javascript">alert(`Bad stuff could go in here.`);</script></svg>'));
+
+        $this->assertEquals($asset, $return);
+        Storage::disk('test')->assertExists('path/to/asset.svg');
+        $this->assertEquals('path/to/asset.svg', $asset->path());
+
+        // Ensure the inline scripts were stripped out.
+        $this->assertStringContainsString('<script', $asset->contents());
+        $this->assertStringContainsString('Bad stuff could go in here.', $asset->contents());
+        $this->assertStringContainsString('</script>', $asset->contents());
+    }
+
     public static function nonGlideableFileExtensionsProvider()
     {
         return [