[HippoCMS-scm] [Git][cms-community/hippo-cms][release/4.2] CMS-11040 [Backport 11.2] Improvement on validation of svg images

Wed, 17 Jan 2018 02:36:08 -0800 

Sergey Shepelevich pushed to branch release/4.2 at cms-community / hippo-cms


Commits:
e3e451ed by Sergey Shepelevich at 2018-01-17T11:27:43+01:00
CMS-11040 [Backport 11.2] Improvement on validation of svg images

(Cherry picked from commit 0de7f2a4d4736b4616abf96090c11f9a62fbbfe3)

- - - - -


2 changed files:

- 
editor/frontend/src/main/java/org/hippoecm/frontend/editor/plugins/linkpicker/GalleryUploadPanel.java
- 
gallery/frontend/src/main/java/org/hippoecm/frontend/plugins/gallery/GalleryWorkflowPlugin.java


Changes:

=====================================
editor/frontend/src/main/java/org/hippoecm/frontend/editor/plugins/linkpicker/GalleryUploadPanel.java
=====================================
--- 
a/editor/frontend/src/main/java/org/hippoecm/frontend/editor/plugins/linkpicker/GalleryUploadPanel.java
+++ 
b/editor/frontend/src/main/java/org/hippoecm/frontend/editor/plugins/linkpicker/GalleryUploadPanel.java
@@ -205,12 +205,11 @@ public abstract class GalleryUploadPanel extends Panel {
 
                 final boolean svgScriptsEnabled = 
pluginConfig.getAsBoolean(SVG_SCRIPTS_ENABLED, false);
                 if (!svgScriptsEnabled && Objects.equals(mimetype, 
SVG_MIME_TYPE)) {
-                    final String svgContent = IOUtils.toString(istream, 
"UTF-8");
-                    if (svgContent.contains("<script")) {
-                        istream.close();
+                    final String svgContent = new String(upload.getBytes());
+                    if (StringUtils.containsIgnoreCase(svgContent,"<script")) {
+                        IOUtils.closeQuietly(istream);
                         throw new SvgScriptGalleryException("SVG images with 
embedded script are not supported.");
                     }
-                    istream.reset();
                 }
 
                 //Get the selected folder from the folderReference Service


=====================================
gallery/frontend/src/main/java/org/hippoecm/frontend/plugins/gallery/GalleryWorkflowPlugin.java
=====================================
--- 
a/gallery/frontend/src/main/java/org/hippoecm/frontend/plugins/gallery/GalleryWorkflowPlugin.java
+++ 
b/gallery/frontend/src/main/java/org/hippoecm/frontend/plugins/gallery/GalleryWorkflowPlugin.java
@@ -143,11 +143,10 @@ public class GalleryWorkflowPlugin extends 
CompatibilityWorkflowPlugin<GalleryWo
                 final boolean svgScriptsEnabled = 
GalleryWorkflowPlugin.this.getPluginConfig()
                         .getAsBoolean(SVG_SCRIPTS_ENABLED, false);
                 if (!svgScriptsEnabled && Objects.equals(mimeType, 
SVG_MIME_TYPE)) {
-                    final String svgContent = IOUtils.toString(is, "UTF-8");
+                    final String svgContent = new String(upload.getBytes());
                     if (StringUtils.containsIgnoreCase(svgContent, "<script")) 
{
                         throw new SvgScriptGalleryException("SVG images with 
embedded script are not supported.");
                     }
-                    is.reset();
                 }
 
                 WorkflowDescriptorModel workflowDescriptorModel = 
(WorkflowDescriptorModel) GalleryWorkflowPlugin.this



View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-cms/commit/e3e451ed869164910afe6d105e0801ed8031e53a

---
View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-cms/commit/e3e451ed869164910afe6d105e0801ed8031e53a
You're receiving this email because of your account on code.onehippo.org.

_______________________________________________
Hippocms-svn mailing list
Hippocms-svn@lists.onehippo.org
https://lists.onehippo.org/mailman/listinfo/hippocms-svn

Reply via email to