-
Oliver Hader authored
This change introduces behavior of extension `t3g/svg-sanitizer` into the TYPO3 core. Sanitizing SVG data is actually done by external package `enshrined/svg-sanitize` by Daryll Doyle. The following aspects are introduced: + handle `GeneralUtility::upload_copy_move` invocations + handle FAL action events `file-add`, `file-replace`, `set-content` + provide upgrade wizard, sanitizing all SVG files in storages that are using `LocalDriver` Custom usage: ``` $sanitizer = new \TYPO3\CMS\Core\Resource\Security\SvgSanitizer(); $sanitizer->sanitizeFile($sourcePath, $targetPath); $svg = $sanitizer->sanitizeContent($svg); ``` Basically this change enforces following public service announcements concerning SVG files, to enhance these security aspects per default: + https://typo3.org/security/advisory/typo3-psa-2020-003 + https://typo3.org/security/advisory/typo3-psa-2019-010 Resolves: #94492 Releases: master, 10.4, 9.5 Change-Id: I42c206190d8a335ebaf77b7e5d57b383e3bcbae1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69809 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
c506e6fb
composer.lock 280.19 KiB