Merge remote-tracking branch 'origin/support/2.6' into support/2.7

# Conflicts: # core/htmlsanitizer.class.inc.php
2026-04-23 02:28:44 +02:00 · 2021-11-23 17:56:26 +01:00
parent 77880c3675 81a2a9278c
commit efaf53e568
11 changed files with 584 additions and 260 deletions
--- a/core/attributedef.class.inc.php
+++ b/core/attributedef.class.inc.php
@@ -7978,6 +7978,13 @@ class AttributeImage extends AttributeBlob
 	{
 		$oDoc = parent::MakeRealValue($proposedValue, $oHostObj);

+		if (($oDoc instanceof ormDocument)
+			&& (false === $oDoc->IsEmpty())
+			&& ($oDoc->GetMimeType() === 'image/svg+xml')) {
+			$sCleanSvg = HTMLSanitizer::Sanitize($oDoc->GetData(), 'svg_sanitizer');
+			$oDoc = new ormDocument($sCleanSvg, $oDoc->GetMimeType(), $oDoc->GetFileName());
+		}
+
 		// The validation of the MIME Type is done by CheckFormat below
 		return $oDoc;
 	}