// html5sec SVG vectors
[
'<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>',
- true,
- true,
+ true, /* SVG is well formed */
+ true, /* Evil SVG detected */
'Script tag in svg (http://html5sec.org/#47)'
],
[
true,
false,
'DTD with aliased entities apos (Should be allowed)'
- ]
+ ],
+ [
+ '<svg xmlns="http://www.w3.org/2000/svg"><g filter="url( \'#foo\' )"></g></svg>',
+ true,
+ false,
+ 'SVG with local filter (T69044)'
+ ],
+ [
+ '<svg xmlns="http://www.w3.org/2000/svg"><g filter="url( http://example.com/#foo )"></g></svg>',
+ true,
+ true,
+ 'SVG with non-local filter (T69044)'
+ ],
+
];
// phpcs:enable
}
public function testCheckXMLEncodingMissmatch( $fileContents, $evil ) {
$filename = $this->getNewTempFile();
file_put_contents( $filename, $fileContents );
- $this->assertSame( UploadBase::checkXMLEncodingMissmatch( $filename ), $evil );
+ $this->assertSame( $evil, UploadBase::checkXMLEncodingMissmatch( $filename ) );
}
public function provideCheckXMLEncodingMissmatch() {