Home Explore Help
Register Sign In
lqb
/
imgproxy
mirror of https://github.com/imgproxy/imgproxy.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: c3c560c1e4
Branches Tags
imgproxy
/
svg
/
svg.go

svg.go 1.7 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697 
  1. package svg
    2. 

  2. 

  3. import (
    4. 

  4. 	"bytes"
    5. 

  5. 	"io"
    6. 

  6. 	"strings"
    7. 

  7. 

  8. 	"github.com/tdewolff/parse/v2"
    9. 

  9. 	"github.com/tdewolff/parse/v2/xml"
    10. 

  10. 

  11. 	"github.com/imgproxy/imgproxy/v3/imagedata"
    12. 

  12. )
    13. 

  13. 

  14. func cloneHeaders(src map[string]string) map[string]string {
    15. 

  15. 	if src == nil {
    16. 

  16. 		return nil
    17. 

  17. 	}
    18. 

  18. 

  19. 	dst := make(map[string]string, len(src))
    20. 

  20. 	for k, v := range src {
    21. 

  21. 		dst[k] = v
    22. 

  22. 	}
    23. 

  23. 

  24. 	return dst
    25. 

  25. }
    26. 

  26. 

  27. func Sanitize(data *imagedata.ImageData) (*imagedata.ImageData, error) {
    28. 

  28. 	r := bytes.NewReader(data.Data)
    29. 

  29. 	l := xml.NewLexer(parse.NewInput(r))
    30. 

  30. 

  31. 	buf, cancel := imagedata.BorrowBuffer()
    32. 

  32. 

  33. 	ignoreTag := 0
    34. 

  34. 

  35. 	var curTagName string
    36. 

  36. 

  37. 	for {
    38. 

  38. 		tt, tdata := l.Next()
    39. 

  39. 

  40. 		if ignoreTag > 0 {
    41. 

  41. 			switch tt {
    42. 

  42. 			case xml.ErrorToken:
    43. 

  43. 				cancel()
    44. 

  44. 				return nil, l.Err()
    45. 

  45. 			case xml.EndTagToken, xml.StartTagCloseVoidToken:
    46. 

  46. 				ignoreTag--
    47. 

  47. 			case xml.StartTagToken:
    48. 

  48. 				ignoreTag++
    49. 

  49. 			}
    50. 

  50. 

  51. 			continue
    52. 

  52. 		}
    53. 

  53. 

  54. 		switch tt {
    55. 

  55. 		case xml.ErrorToken:
    56. 

  56. 			if l.Err() != io.EOF {
    57. 

  57. 				cancel()
    58. 

  58. 				return nil, l.Err()
    59. 

  59. 			}
    60. 

  60. 

  61. 			newData := imagedata.ImageData{
    62. 

  62. 				Data:    buf.Bytes(),
    63. 

  63. 				Type:    data.Type,
    64. 

  64. 				Headers: cloneHeaders(data.Headers),
    65. 

  65. 			}
    66. 

  66. 			newData.SetCancel(cancel)
    67. 

  67. 

  68. 			return &newData, nil
    69. 

  69. 		case xml.StartTagToken:
    70. 

  70. 			curTagName = strings.ToLower(string(l.Text()))
    71. 

  71. 

  72. 			if curTagName == "script" {
    73. 

  73. 				ignoreTag++
    74. 

  74. 				continue
    75. 

  75. 			}
    76. 

  76. 

  77. 			buf.Write(tdata)
    78. 

  78. 		case xml.AttributeToken:
    79. 

  79. 			attrName := strings.ToLower(string(l.Text()))
    80. 

  80. 

  81. 			if _, unsafe := unsafeAttrs[attrName]; unsafe {
    82. 

  82. 				continue
    83. 

  83. 			}
    84. 

  84. 

  85. 			if curTagName == "use" && (attrName == "href" || attrName == "xlink:href") {
    86. 

  86. 				val := strings.TrimSpace(strings.Trim(string(l.AttrVal()), `"'`))
    87. 

  87. 				if len(val) > 0 && val[0] != '#' {
    88. 

  88. 					continue
    89. 

  89. 				}
    90. 

  90. 			}
    91. 

  91. 

  92. 			buf.Write(tdata)
    93. 

  93. 		default:
    94. 

  94. 			buf.Write(tdata)
    95. 

  95. 		}
    96. 

  96. 	}
    97. 

  97. }
    98.