Security fixes - Disable svg upload in my files + fix XSS

5 years ago · 0bfe48eb32
parent 9c24047384
commit 0bfe48eb32
2 changed files with 16 additions and 12 deletions
--- a/main/template/default/social/user_block.tpl
+++ b/main/template/default/social/user_block.tpl
@ -102,27 +102,30 @@
                            {% set linkedin_url = '' %}
                            {% for extra in user.extra %}
                                {% if extra.value.getField().getVariable() == 'skype' %}
-                                    {% set skype_account = extra.value.getValue() | remove_xss %}
+                                    {% set skype_account %}
+                                    <a href="skype:{{ extra.value.getValue() }}?chat">
+                                        <span class="fa fa-skype fa-fw" aria-hidden="true"></span> {{ 'Skype'|get_lang }}
+                                    </a>
+                                    {% endset %}
                                {% endif %}
-
                                {% if extra.value.getField().getVariable() == 'linkedin_url' %}
-                                    {% set linkedin_url = extra.value.getValue() | remove_xss %}
+                                    {% set linkedin_url %}
+                                        <a href="{{ extra.value.getValue() }}" target="_blank">
+                                            <span class="fa fa-linkedin fa-fw" aria-hidden="true"></span> {{ 'LinkedIn'|get_lang }}
+                                        </a>
+                                    {% endset %}
                                {% endif %}
                            {% endfor %}

                            {% if 'allow_show_skype_account'|api_get_setting == 'true' and not skype_account is empty %}
                                <li class="item">
-                                    <a href="skype:{{ skype_account }}?chat">
-                                        <span class="fa fa-skype fa-fw" aria-hidden="true"></span> {{ 'Skype'|get_lang }}
-                                    </a>
+                                    {{ skype_account | remove_xss}}
                                </li>
                            {% endif %}

                            {% if 'allow_show_linkedin_url'|api_get_setting == 'true' and not linkedin_url is empty %}
                                <li class="item">
-                                    <a href="{{ linkedin_url }}" target="_blank">
-                                        <span class="fa fa-linkedin fa-fw" aria-hidden="true"></span> {{ 'LinkedIn'|get_lang }}
-                                    </a>
+                                    {{ linkedin_url | remove_xss}}
                                </li>
                            {% endif %}
                        {% endif %}
--- a/src/Chamilo/CoreBundle/Component/Editor/Driver/PersonalDriver.php
+++ b/src/Chamilo/CoreBundle/Component/Editor/Driver/PersonalDriver.php
@ -1,4 +1,5 @@
 <?php
+
 /* For licensing terms, see /license.txt */

 namespace Chamilo\CoreBundle\Component\Editor\Driver;
@ -7,8 +8,6 @@ namespace Chamilo\CoreBundle\Component\Editor\Driver;
 * Class PersonalDriver.
 *
 * @todo add more checks in upload/rm
- *
- * @package Chamilo\CoreBundle\Component\Editor\Driver
 */
 class PersonalDriver extends Driver implements DriverInterface
 {
@ -49,6 +48,8 @@ class PersonalDriver extends Driver implements DriverInterface
                    'text/html',
                    'text/javascript',
                    'text/ecmascript',
+                    'image/svg+xml',
+                    'image/svg',
                ];

                $driver = [