[BUGFIX] Mitigate incorrect libxml usage of "enshrined/svg-sanitize"

External "enshrined/svg-sanitize" package uses `libxml_use_internal_errors()`, but fails to clear errors using libxml_clear_errors(). This can lead to side effects with subsequest libxml usages. An upstream patch to fix this is pending, but it needs to be merged and released. In the meantime, we mitigate the issue in our wrapper class. See: darylldoyle/svg-sanitizer#90 Resolves: #100607 Releases: main, 11.5 Change-Id: I911119b498a4dda8312c5ca940b5fdf6410a1a87 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78648 Tested-by: core-ci <typo3@b13.com> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
TYPO3-CMS · Apr 14, 2023 · 054f02d · 054f02d
1 parent 83ae785
commit 054f02d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/Classes/Resource/Security/SvgSanitizer.php b/Classes/Resource/Security/SvgSanitizer.php
@@ -49,8 +49,13 @@ public function sanitizeFile(string $sourcePath, string $targetPath = null): voi
      */
     public function sanitizeContent(string $svg): string
     {
+        // @todo: Simplify again when https://github.com/darylldoyle/svg-sanitizer/pull/90 is merged and released.
+        $previousXmlErrorHandling = libxml_use_internal_errors(true);
         $sanitizer = new Sanitizer();
         $sanitizer->removeRemoteReferences(true);
-        return $sanitizer->sanitize($svg) ?: '';
+        $sanitizedString = $sanitizer->sanitize($svg) ?: '';
+        libxml_clear_errors();
+        libxml_use_internal_errors($previousXmlErrorHandling);
+        return $sanitizedString;
     }
 }
diff --git a/Tests/Functional/Resource/Security/SvgSanitizerTest.php b/Tests/Functional/Resource/Security/SvgSanitizerTest.php
@@ -42,24 +42,24 @@ public function svgContentIsSanitizedDataProvider(): array
         $data = [];
         foreach ($finder as $file) {
             $fileName = $file->getFilename();
-            $data[$fileName] = ['DirtySVG/' . $fileName, 'CleanSVG/' . $fileName];
+            $data[$fileName] = [
+                $basePath . 'DirtySVG/' . $fileName,
+                $basePath . 'CleanSVG/' . $fileName,
+            ];
         }
         return $data;
     }
 
     /**
-     * @param string $filePath
-     * @param string $sanitizedFilePath
      * @test
      * @dataProvider svgContentIsSanitizedDataProvider
      */
-    public function svgContentIsSanitized($filePath, $sanitizedFilePath): void
+    public function svgContentIsSanitized(string $filePath, string $sanitizedFilePath): void
     {
-        $basePath = dirname(__FILE__, 2) . '/Fixtures/';
         $sanitizer = new SvgSanitizer();
         self::assertStringEqualsFile(
-            $basePath . $sanitizedFilePath,
-            $sanitizer->sanitizeContent(file_get_contents($basePath . $filePath))
+            $sanitizedFilePath,
+            $sanitizer->sanitizeContent(file_get_contents($filePath))
         );
     }
 }