Kd/fix allow svg doctype (#14344)

* make svg regex case-insensitive & use strict word boundary * allow doctype svg * add doctype tests * allow <!DOCTYPE svg> and <svg/>
2025-10-30 18:36:22 +01:00 · 2021-01-15 02:38:41 -07:00
parent a21adf92ec
commit bfd0c47ef6
2 changed files with 10 additions and 2 deletions
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -35,8 +35,8 @@ const sniffLen = 512
 // SVGMimeType MIME type of SVG images.
 const SVGMimeType = "image/svg+xml"

-var svgTagRegex = regexp.MustCompile(`(?s)\A\s*(?:<!--.*?-->\s*)*<svg\b`)
-var svgTagInXMLRegex = regexp.MustCompile(`(?s)\A<\?xml\b.*?\?>\s*(?:<!--.*?-->\s*)*<svg\b`)
+var svgTagRegex = regexp.MustCompile(`(?si)\A\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)
+var svgTagInXMLRegex = regexp.MustCompile(`(?si)\A<\?xml\b.*?\?>\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)

 // EncodeMD5 encodes string to md5 hex value.
 func EncodeMD5(str string) string {
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -216,6 +216,9 @@ func TestIsSVGImageFile(t *testing.T) {
 	assert.True(t, IsSVGImageFile([]byte(`<!-- Multiline
 	Comment -->
 	<svg></svg>`)))
+	assert.True(t, IsSVGImageFile([]byte(`<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN"
+	"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd">
+	<svg></svg>`)))
 	assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?>
 	<!-- Comment -->
 	<svg></svg>`)))
@@ -227,6 +230,11 @@ func TestIsSVGImageFile(t *testing.T) {
 	<!-- Multline
 	Comment -->
 	<svg></svg>`)))
+	assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?>
+	<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+	<!-- Multline
+	Comment -->
+	<svg></svg>`)))
 	assert.False(t, IsSVGImageFile([]byte{}))
 	assert.False(t, IsSVGImageFile([]byte("svg")))
 	assert.False(t, IsSVGImageFile([]byte("<svgfoo></svgfoo>")))