github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 04:01:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Remove event handlers from SVG files

Browse Source
This commit is contained in:
Dan Ungureanu
2019-12-11 16:28:35 +02:00
parent adfa793731
commit 4e130f1e03
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/upload_creator.rb
View File

@ -277,6 +277,7 @@ class UploadCreator
def whitelist_svg!
doc = Nokogiri::XML(@file)
doc.xpath(svg_whitelist_xpath).remove
doc.xpath("//@*[starts-with(name(), 'on')]").remove
File.write(@file.path, doc.to_s)
@file.rewind
end