Security fixes - Disable svg upload in my files + fix XSS

main/template/default/social/user_block.tpl

@@ -22,7 +22,7 @@
             <div id="sn-avatar-one" class="panel-collapse collapse in" role="tabpanel" aria-labelledby="heading-sn">
                 <div class="panel-body">
                     <div class="area-avatar">
-                    {{ social_avatar_block }}
+                        {{ social_avatar_block }}
                         {% if user.icon_status %}
                             <!-- User icon -->
                             <div class="avatar-icon">
@@ -102,27 +102,30 @@
                             {% set linkedin_url = '' %}
                             {% for extra in user.extra %}
                                 {% if extra.value.getField().getVariable() == 'skype' %}
-                                    {% set skype_account = extra.value.getValue() | remove_xss %}
+                                    {% set skype_account %}
+                                    <a href="skype:{{ extra.value.getValue() }}?chat">
+                                        <span class="fa fa-skype fa-fw" aria-hidden="true"></span> {{ 'Skype'|get_lang }}
+                                    </a>
+                                    {% endset %}
                                 {% endif %}
-
                                 {% if extra.value.getField().getVariable() == 'linkedin_url' %}
-                                    {% set linkedin_url = extra.value.getValue() | remove_xss %}
+                                    {% set linkedin_url %}
+                                        <a href="{{ extra.value.getValue() }}" target="_blank">
+                                            <span class="fa fa-linkedin fa-fw" aria-hidden="true"></span> {{ 'LinkedIn'|get_lang }}
+                                        </a>
+                                    {% endset %}
                                 {% endif %}
                             {% endfor %}
 
                             {% if 'allow_show_skype_account'|api_get_setting == 'true' and not skype_account is empty %}
                                 <li class="item">
-                                    <a href="skype:{{ skype_account }}?chat">
-                                        <span class="fa fa-skype fa-fw" aria-hidden="true"></span> {{ 'Skype'|get_lang }}
-                                    </a>
+                                    {{ skype_account | remove_xss}}
                                 </li>
                             {% endif %}
 
                             {% if 'allow_show_linkedin_url'|api_get_setting == 'true' and not linkedin_url is empty %}
                                 <li class="item">
-                                    <a href="{{ linkedin_url }}" target="_blank">
-                                        <span class="fa fa-linkedin fa-fw" aria-hidden="true"></span> {{ 'LinkedIn'|get_lang }}
-                                    </a>
+                                    {{ linkedin_url | remove_xss}}
                                 </li>
                             {% endif %}
                         {% endif %}

src/Chamilo/CoreBundle/Component/Editor/Driver/PersonalDriver.php

@@ -1,4 +1,5 @@
 <?php
+
 /* For licensing terms, see /license.txt */
 
 namespace Chamilo\CoreBundle\Component\Editor\Driver;
@@ -7,8 +8,6 @@ namespace Chamilo\CoreBundle\Component\Editor\Driver;
  * Class PersonalDriver.
  *
  * @todo add more checks in upload/rm
- *
- * @package Chamilo\CoreBundle\Component\Editor\Driver
  */
 class PersonalDriver extends Driver implements DriverInterface
 {
@@ -49,6 +48,8 @@ class PersonalDriver extends Driver implements DriverInterface
                     'text/html',
                     'text/javascript',
                     'text/ecmascript',
+                    'image/svg+xml',
+                    'image/svg',
                 ];
 
                 $driver = [