feat: add custom svg upload for prettyblocks

[CySSoO]

Summary

• add configuration upload field for custom SVG when PrettyBlocks is active
• handle SVG upload saving files into module's svg directory

Testing

• php -l everblock.php
• composer validate --no-check-all

---

https://chatgpt.com/codex/tasks/task_e_68beed1d7f8c83229200f30c10fcf4a3

[chatgpt-codex-connector]

Codex Review: Here are some suggestions.

Reply with @codex fix comments to fix any unresolved comments.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

[CySSoO]

@codex fix comments

[chatgpt-codex-connector]

Codex Review: Here are some suggestions.

everblock/everblock.php

Lines 3643 to 3661 in b9afe17

	if (isset($_FILES['CUSTOM_SVG'])
	&& isset($_FILES['CUSTOM_SVG']['tmp_name'])
	&& !empty($_FILES['CUSTOM_SVG']['tmp_name'])
	) {
	$filename = $_FILES['CUSTOM_SVG']['name'];
	$exploded_filename = explode('.', $filename);
	$ext = end($exploded_filename);
	if (Tools::strtolower($ext) != 'svg') {
	$this->postErrors[] = $this->l('Error : File is not valid.');
	return false;
	}
	if (!($tmp_name = tempnam(_PS_TMP_IMG_DIR_, 'PS'))
	|| !move_uploaded_file($_FILES['CUSTOM_SVG']['tmp_name'], $tmp_name)
	) {
	return false;
	}
	$safeName = preg_replace('/[^a-zA-Z0-9-_\.]/', '', $filename);
	copy($tmp_name, _PS_MODULE_DIR_ . $this->name . '/views/img/svg/' . $safeName);
	$this->html .= $this->displayConfirmation($this->l('File has been uploaded'));

[P1] Validate SVG uploads to prevent XSS

The new uploadSvgFile() method copies any uploaded file with a .svg extension directly into views/img/svg without inspecting the contents. PrettyBlocks templates render icons from that folder (prettyblock_reassurance.tpl, prettyblock_social_links.tpl, etc.) via <img> tags, so a back‑office user with upload rights can craft an SVG containing <script> or event handlers that will execute in customer browsers. Because no sanitisation or content filtering occurs here, this introduces a stored XSS vector. Consider rejecting SVGs containing scripting elements or running the file through a sanitizer before saving.

---

Reply with @codex fix comments to fix any unresolved comments.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".