Skip to content

SVG Sanitizer features added #2182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: 2.1
Choose a base branch
from
Open

SVG Sanitizer features added #2182

wants to merge 8 commits into from

Conversation

VikassWebkul214254
Copy link
Collaborator

@VikassWebkul214254 VikassWebkul214254 requested review from sagarkumar-webkul and removed request for devansh-webkul April 28, 2025 11:31
amit-webkul
amit-webkul previously approved these changes Apr 28, 2025
View reviewed changes
@VikassWebkul214254 VikassWebkul214254 requested review from Copilot and removed request for sagarkumar-webkul April 28, 2025 14:08
Copilot
Copilot AI reviewed Apr 28, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 5 changed files in this pull request and generated no comments.

Files not reviewed (4)
  • composer.json: Language not supported
  • packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php: Language not supported
  • packages/Webkul/Admin/src/Resources/views/components/form/control-group/control.blade.php: Language not supported
  • packages/Webkul/Core/src/Traits/Sanitizer.php: Language not supported

@sagarkumar-webkul
Copy link
Collaborator

The SVG sanitiser feature has been implemented; however, a UI issue occurs during SVG image upload that needs to be addressed. Additionally, the password does not change after following the provided testing steps.
-https://webkul.chatwhizz.com/share/view-recording/681217cb3112bb06ef375177

@VikassWebkul214254
Copy link
Collaborator Author

The SVG sanitiser feature has been implemented; however, a UI issue occurs during SVG image upload that needs to be addressed. Additionally, the password does not change after following the provided testing steps. -https://webkul.chatwhizz.com/share/view-recording/681217cb3112bb06ef375177

File broken issue is not found in my instance. you need to verify it again.

@sagarkumar-webkul
Copy link
Collaborator

I have retested the issue—currently, the image is not visible after uploading. -----https://webkul.chatwhizz.com/share/view-recording/681456edc4a93f076923eab3

@suraj-webkul
fix: resolve attachment display issue and TinyMCE editor visibility
c42bad2 
- Fix uploaded attachments not displaying properly
- Fix TinyMCE editor not appearing after replying twice in mail view
- Fix TinyMCE editor not loading in configuration page
@sagarkumar-webkul
Copy link
Collaborator

I've tested this issue further and found that while the SVG file is no longer capable of changing admin credentials, it can still trigger an alert() message when opened in a new browser tab.
This indicates that the SVG content is not fully sanitized — embedded JavaScript inside the SVG is still being executed. Although the direct credential change is blocked, this could still be a vector for XSS attacks or social engineering if not handled properly.
video link1- https://webkul.chatwhizz.com/share/view-recording/681dc4d627c29f37d004d16c
video link2- https://webkul.chatwhizz.com/share/view-recording/681dc8ab27c29f37d004d2c1

@sagarkumar-webkul
Copy link
Collaborator

Verified: The SVG file has been sanitized to remove embedded scripts for security compliance. As a result, any interactive features (such as JavaScript-based functionality) within the SVG no longer work when opened directly in a new tab.
-https://webkul.chatwhizz.com/share/view-recording/681de3de27c29f37d004dc6b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@amit-webkul amit-webkul amit-webkul left review comments

@devansh-webkul devansh-webkul Awaiting requested review from devansh-webkul

At least 2 approving reviews are required to merge this pull request.

Assignees

@sagarkumar-webkul sagarkumar-webkul

Labels
QA Passed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@VikassWebkul214254 @sagarkumar-webkul @amit-webkul @vikas214255 @suraj-webkul