[ 'ValidTitle.jpg', 'ValidTitle.jpg', UploadBase::OK,
'upload valid title' ],
/* A title with a slash */
- [ 'A/B.jpg', 'B.jpg', UploadBase::OK,
+ [ 'A/B.jpg', 'A-B.jpg', UploadBase::OK,
'upload title with slash' ],
/* A title with illegal char */
[ 'A:B.jpg', 'A-B.jpg', UploadBase::OK,
false,
'SVG with external entity'
],
-
+ [
+ "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"> <g> <a xlink:href=\"javascript:alert('1 https://google.com')\"> <rect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)\" /> </a> </g> </svg>",
+ true,
+ true,
+ 'SVG with javascript <a> link with newline (T122653)'
+ ],
// Test good, but strange files that we want to allow
[
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g> <a xlink:href="http://en.wikipedia.org/wiki/Main_Page"> <path transform="translate(0,496)" id="path6706" d="m 112.09375,107.6875 -5.0625,3.625 -4.3125,5.03125 -0.46875,0.5 -4.09375,3.34375 -9.125,5.28125 -8.625,-3.375 z" style="fill:#cccccc;fill-opacity:1;stroke:#6e6e6e;stroke-width:0.69999999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;display:inline" /> </a> </g> </svg>',
];
// @codingStandardsIgnoreEnd
}
+
+ /**
+ * @dataProvider provideCheckXMLEncodingMissmatch
+ */
+ public function testCheckXMLEncodingMissmatch( $fileContents, $evil ) {
+ $filename = $this->getNewTempFile();
+ file_put_contents( $filename, $fileContents );
+ $this->assertSame( UploadBase::checkXMLEncodingMissmatch( $filename ), $evil );
+ }
+
+ public function provideCheckXMLEncodingMissmatch() {
+ return [
+ [ '<?xml version="1.0" encoding="utf-7"?><svg></svg>', true ],
+ [ '<?xml version="1.0" encoding="utf-8"?><svg></svg>', false ],
+ [ '<?xml version="1.0" encoding="WINDOWS-1252"?><svg></svg>', false ],
+ ];
+ }
}
class UploadTestHandler extends UploadBase {