SVG support

[dgrammatiko]

Pull Request for Issue # .

Summary of Changes

This PR enables svg uploads and introduces a sanitiser for svg files
Sanitizer source: https://github.com/darylldoyle/svg-sanitizer
It is missing some db needed updates, will do them if it gets approved

• This SHOULD NOT interfere with the work currently done in the new media manager group
• The security strike team needs to approve this! so calling @Kubik-Rubik

Testing Instructions

• Apply patch
• Edit media configuration and replace the contents of Legal Extensions (File Types) with

bmp,csv,doc,gif,ico,jpg,jpeg,odg,odp,ods,odt,pdf,png,ppt,swf,txt,xcf,xls,svg,BMP,CSV,DOC,GIF,ICO,JPG,JPEG,ODG,ODP,ODS,ODT,PDF,PNG,PPT,SWF,TXT,XCF,XLS,SVG

Try to upload an svg file

Preview

Documentation Changes Required

NOTES

• This PR was created only as a way for the security strike team to evaluate the usage of the SVG sanitisation
• The SVG support is limiting svgs to certain level, as many features (e.g. scripts) will be removed
• This PR was not meant to override the work done in the new media manager group, it's more like a bridge to the security team for an evaluation of a sanitisation library that could possible be used by the new media group

I hope that this clears up my intentions here (speed up the process by involving more people)

---

This change is 

[Bakual]

What are those changes in the autoloading files? Those look wrong to me.

[wilsonge]

Dimitris is on an older version of composer :) It's regressing the autoload files back from composer 1.3.x to 1.2.x

[dgrammatiko]

I sea 😜, will update that in a bit...

[dgrammatiko]

Also Joomla is not supporting uploading of webp images...
About webp: https://developers.google.com/speed/webp/

[uglyeoin]

I have tested this item ✅ successfully on e4fd085

The SVG uploaded, but I was unable to select it as my intro image or as a normal image, rendering it pointless. I need further instructions to test whether the sanitisation worked.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13499.}

[dgrammatiko]

@uglyeoin one easy way to test the uploaded file is by pointing your browser to the path of the svg e.g. /images/test.svg Then you can inspect the uploaded file with the browser's development tools:

[anibalsanchez]

I have tested this item ✅ successfully on e4fd085

Test OK

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13499.}

[ghazal]

I have tested this item ✅ successfully on e4fd085

@uglyeoin I guess this is not the purpose of this patch. As the title says, it only implements a way to make safe use of svg format.
Check this also : #4674

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13499.}

[uglyeoin]

@ghazal I guess so. I have tested it successfully, but I have not tested the security side of things. I guess I need an insecure SVG in order to do so. I assume the other tests took this into account?

[uglyeoin]

@dgt41 perhaps you could supply an SVG for people to test with?