From ae34c61954d9c0beb88d27d06fd710d3c168c819 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Givord?= <cedric.givord@lg2.com>
Date: Wed, 28 Feb 2024 09:59:54 -0500
Subject: [PATCH] Add option to delete remote references in svg sanitizer

---
 src/config/GeneralConfig.php | 39 ++++++++++++++++++++++++++++++++++++
 src/services/Images.php      |  1 +
 2 files changed, 40 insertions(+)

diff --git a/src/config/GeneralConfig.php b/src/config/GeneralConfig.php
index 2b6c5738d38..9e9901d45f7 100644
--- a/src/config/GeneralConfig.php
+++ b/src/config/GeneralConfig.php
@@ -2557,6 +2557,24 @@ class GeneralConfig extends BaseConfig
      */
     public bool $sanitizeSvgUploads = true;
 
+    /**
+     * @var bool Whether Craft should sanitize uploaded SVG files and delete any remote references.
+     *
+     * This should definitely be enabled if you are accepting SVG uploads from untrusted sources.
+     *
+     * ::: code
+     * ```php Static Config
+     * ->sanitizeSvgRemoteRefs(true)
+     * ```
+     * ```shell Environment Override
+     * CRAFT_SANITIZE_SVG_REMOTE_REFS=true
+     * ```
+     * :::
+     *
+     * @group Security
+     */
+    public bool $sanitizeSvgRemoteRefs = false;
+
     /**
      * @var string A private, random, cryptographically-secure key that is used for hashing and encrypting data in [[\craft\services\Security]].
      *
@@ -5963,6 +5981,27 @@ public function sanitizeSvgUploads(bool $value = true): self
         return $this;
     }
 
+    /**
+     * Whether Craft should sanitize uploaded SVG files and delete any remote references.
+     *
+     * This should definitely be enabled if you are accepting SVG uploads from untrusted sources.
+     *
+     * ```php
+     * ->sanitizeSvgRemoteRefs(true)
+     * ```
+     *
+     * @group Security
+     * @param bool $value
+     * @return self
+     * @see $sanitizeSvgRemoteRefs
+     * @since 4.9.0
+     */
+    public function sanitizeSvgRemoteRefs(bool $value = false): self
+    {
+        $this->sanitizeSvgRemoteRefs = $value;
+        return $this;
+    }
+
     /**
      * A private, random, cryptographically-secure key that is used for hashing and encrypting data in [[\craft\services\Security]].
      *
diff --git a/src/services/Images.php b/src/services/Images.php
index 8146df26dba..ff83e8a1183 100644
--- a/src/services/Images.php
+++ b/src/services/Images.php
@@ -325,6 +325,7 @@ public function cleanImage(string $filePath): void
             }
 
             $sanitizer = new Sanitizer();
+            $sanitizer->removeRemoteReferences(Craft::$app->getConfig()->getGeneral()->sanitizeSvgRemoteRefs);
             $sanitizer->setAllowedAttrs(new SvgAllowedAttributes());
             $svgContents = file_get_contents($filePath);
             $svgContents = $sanitizer->sanitize($svgContents);