From 0aea3b4a5aac64130ec2f9544e58eb658e463fef Mon Sep 17 00:00:00 2001 From: Jeffrey Paul Date: Thu, 24 Feb 2022 12:16:54 -0600 Subject: [PATCH 01/12] fix svg-sanitize version number in changelogs --- CHANGELOG.md | 2 +- CREDITS.md | 2 +- readme.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2834838f..78a128ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ All notable changes to this project will be documented in this file, per [the Ke ### Changed - Bump WordPress minimum version from 4.0 to 4.7 (props [@cadic](https://github.com/cadic) via [#32](https://github.com/10up/safe-svg/pull/32)). - Bump PHP minimum version from 5.6 to 7.0 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul) via [#20](https://github.com/10up/safe-svg/pull/20)). -- Update `enshrined/svg-sanitize` from 0.13.3 to 0.5.2 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic) via [#20](https://github.com/10up/safe-svg/pull/20), [#29](https://github.com/10up/safe-svg/pull/29)). +- Update `enshrined/svg-sanitize` from 0.13.3 to 0.15.2 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic) via [#20](https://github.com/10up/safe-svg/pull/20), [#29](https://github.com/10up/safe-svg/pull/29)). - Bump WordPress version "tested up to" 5.9 (props [@BBerg10up](https://github.com/BBerg10up), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic) via [#14](https://github.com/10up/safe-svg/pull/14), [#27](https://github.com/10up/safe-svg/pull/27)). - Updated library location and added a new build step (props [@darylldoyle](https://github.com/darylldoyle), [@dkotter](https://github.com/dkotter) via [#35](https://github.com/10up/safe-svg/pull/35), [#36](https://github.com/10up/safe-svg/pull/36)). - Updated plugin assets and added docs and repo management workflows via GitHub Actions (props [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [@jeffpaul](https://github.com/jeffpaul) via [#16](https://github.com/10up/safe-svg/pull/16), [#26](https://github.com/10up/safe-svg/pull/26)). diff --git a/CREDITS.md b/CREDITS.md index 1065ac8e..94c04968 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc. -[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann). +[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann), [@j-hoffmann](https://github.com/j-hoffmann). ## Libraries diff --git a/readme.txt b/readme.txt index e67450bb..2f7ce3a0 100644 --- a/readme.txt +++ b/readme.txt @@ -71,7 +71,7 @@ They take one argument that must be returned. See below for examples: * **Changed:** Bump WordPress minimum version from 4.0 to 4.7 (props [@cadic](https://github.com/cadic)). * **Changed:** Bump PHP minimum version from 5.6 to 7.0 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul)). -* **Changed:** Update `enshrined/svg-sanitize` from 0.13.3 to 0.5.2 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic)). +* **Changed:** Update `enshrined/svg-sanitize` from 0.13.3 to 0.15.2 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic)). * **Changed:** Bump WordPress version "tested up to" 5.9 (props [@BBerg10up](https://github.com/BBerg10up), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic)). * **Changed:** Updated library location and added a new build step (props [@darylldoyle](https://github.com/darylldoyle), [@dkotter](https://github.com/dkotter)). * **Changed:** Updated plugin assets and added docs and repo management workflows via GitHub Actions (props [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [@jeffpaul](https://github.com/jeffpaul)). From b2743c2ccdaa5425339de7b1b48c0c6028bc0d65 Mon Sep 17 00:00:00 2001 From: Torsten Landsiedel Date: Wed, 2 Mar 2022 14:51:24 +0100 Subject: [PATCH 02/12] Fix layout on wordpress.org Adding a space before the closing "=" on headlines in the changelog section of the readme.txt fixes the layout problem on wordpress.org not showing the bold markup for the headline and instead showing the "=" character. --- readme.txt | 70 +++++++++++++++++++++++++++--------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/readme.txt b/readme.txt index 2f7ce3a0..83ddb806 100644 --- a/readme.txt +++ b/readme.txt @@ -80,120 +80,120 @@ They take one argument that must be returned. See below for examples: * **Fixed:** Use calculated size for SVGs instead of using `false` (props [@dkotter](https://github.com/dkotter), [@darylldoyle](https://github.com/darylldoyle), [@fritteli](https://github.com/fritteli)). * **Fixed:** Add better file type checking when looking for SVG files (props [@davidhamann](https://github.com/davidhamann), [@dkotter](https://github.com/dkotter), [@darylldoyle](https://github.com/darylldoyle)). -= 1.9.9 - 2020-05-07= += 1.9.9 - 2020-05-07 = * **Fixed:** Issue where 100% width is accidentally converted to 100px width (props [@joehoyle](https://github.com/joehoyle)). -= 1.9.8 - 2020-05-07= += 1.9.8 - 2020-05-07 = * **Changed:** Underlying library update. -= 1.9.7 - 2019-12-10= += 1.9.7 - 2019-12-10 = * **Changed:** Underlying library update. -= 1.9.6 - 2019-11-07= += 1.9.6 - 2019-11-07 = * **Security:** Underlying library update that fixes a security issue. -= 1.9.5 - 2019-11-04= += 1.9.5 - 2019-11-04 = * **Security:** Underlying library update that fixes some security issues. -= 1.9.4 - 2019-08-21= += 1.9.4 - 2019-08-21 = * **Fixed:** Bug causing lots of error log output to do with `safe_svg::fix_direct_image_output()`. -= 1.9.3 - 2019-02-19= += 1.9.3 - 2019-02-19 = * **Fixed:** Bug causing 0 height and width SVGs. -= 1.9.2 - 2019-02-14= += 1.9.2 - 2019-02-14 = * **Fixed:** Warning about an Illegal string offset. * **Fixed:** Issue if something other than a WP_Post object is passed in via the `wp_get_attachment_image_attributes` filter. -= 1.9.1 - 2019-01-29= += 1.9.1 - 2019-01-29 = * **Fixed:** Warning that was being generated by a change made in 1.9.0. -= 1.9.0 - 2019-01-03= += 1.9.0 - 2019-01-03 = * **Changed:** If an image is the correct ratio, allow skipping of the crop popup when setting header/logo images with SVGs. -= 1.8.1 - 2018-11-22= += 1.8.1 - 2018-11-22 = * **Changed:** Don't let errors break upload if uploading an empty file * **Fixed:** Featured image display in Gutenberg. Props [@dmhendricks](https://github.com/dmhendricks) :) -= 1.8.0 - 2018-11-04= += 1.8.0 - 2018-11-04 = * **Added:** Pull SVG dimensions from the width/height or viewbox attributes of the SVG. * **Added:** role="img" attribute to SVGs. -= 1.7.1 - 2018-10-01= += 1.7.1 - 2018-10-01 = * **Changed:** Underlying lib and added new filters for filtering allowed tags and attributes. -= 1.7.0 - 2018-10-01= += 1.7.0 - 2018-10-01 = * **Added:** Allow devs to filter tags and attrs within WordPress. -= 1.6.1 - 2018-03-17= += 1.6.1 - 2018-03-17 = * **Changed:** Images will now use the size chosen when inserted into the page rather than default to 2000px everytime. -= 1.6.0 - 2017-12-20= += 1.6.0 - 2017-12-20 = * **Added:** Fairly big new feature - The library now allows `` elements as long as they don't reference external files! * **Fixed:** You can now also embed safe image types within the SVG and not have them stripped (PNG, GIF, JPG). -= 1.5.3 - 2017-11-16= += 1.5.3 - 2017-11-16 = * **Fixed:** 1.5.2 introduced an issue that can freeze the media library. This fixes that issue. Sorry! -= 1.5.2 - 2017-11-15= += 1.5.2 - 2017-11-15 = * **Changed:** Tested with 4.9.0. * **Fixed:** Issue with SVGs when regenerating media. -= 1.5.1 - 2017-08-21= += 1.5.1 - 2017-08-21 = * **Fixed:** PHP strict standards warning. -= 1.5.0 - 2017-06-20= += 1.5.0 - 2017-06-20 = * **Changed:** Library update. * **Changed:** role, aria- and data- attributes are now whitelisted to improve accessibility. -= 1.4.5 - 2017-06-18= += 1.4.5 - 2017-06-18 = * **Changed:** Library update. * **Fixed:** some issues with defining the size of an SVG. -= 1.4.4 - 2017-06-07= += 1.4.4 - 2017-06-07 = * **Fixed:** SVGs now display as featured images in the admin area. -= 1.4.3 - 2017-03-06= += 1.4.3 - 2017-03-06 = * **Added:** WordPress 4.7.3 Compatibility. * **Changed:** Expanded SVG previews in media library. -= 1.4.2 - 2017-02-26= += 1.4.2 - 2017-02-26 = * **Added:** Check / fix for when mb_* functions are not available. -= 1.4.1 - 2017-02-23= += 1.4.1 - 2017-02-23 = * **Changed:** Underlying library to allow attributes/tags in all case variations. -= 1.4.0 - 2017-02-21= += 1.4.0 - 2017-02-21 = * **Added:** Ability to preview SVG on both grid and list view in the wp-admin media area * **Changed:** Underlying library version. -= 1.3.4 - 2017-02-20= += 1.3.4 - 2017-02-20 = * **Fixed:** SVGZ uploads failing and not sanitising correctly. -= 1.3.3 - 2017-02-15= += 1.3.3 - 2017-02-15 = * **Changed:** Allow SVGZ uploads. -= 1.3.2 - 2017-01-27= += 1.3.2 - 2017-01-27 = * **Fixed:** Mime type issue in 4.7.1. Mad props to [@LewisCowles1986](https://github.com/LewisCowles1986). -= 1.3.1 - 2016-12-01= += 1.3.1 - 2016-12-01 = * **Changed:** Underlying library version. -= 1.3.0 - 2016-10-10= += 1.3.0 - 2016-10-10 = * **Changed:** Minify SVGs after cleaning so they can be loaded correctly through `file_get_contents`. -= 1.2.0 - 2016-02-27= += 1.2.0 - 2016-02-27 = * **Added:** Support for camel case attributes such as viewBox. -= 1.1.1 - 2016-07-06= += 1.1.1 - 2016-07-06 = * **Fixed:** Issue with empty svg elements self-closing. -= 1.1.0 - 2015-07-04= += 1.1.0 - 2015-07-04 = * **Added:** I18n. * **Added:** da, de ,en, es, fr, nl and ru translations. * **Fixed:** Issue with filename not being pulled over on failed uploads. -= 1.0.0 - 2015-07-03= += 1.0.0 - 2015-07-03 = * Initial Release. == Upgrade Notice == From da976ca61248ef445a0051a28b5107525882da8b Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Fri, 11 Mar 2022 11:21:24 -0700 Subject: [PATCH 03/12] Set the full size dimensions when generating an image tag. Remove generation of srcset on SVGs. Ensure we don't add height and width twice to SVG image tags --- safe-svg.php | 55 +++++++++++++++++++++------------------------------- 1 file changed, 22 insertions(+), 33 deletions(-) diff --git a/safe-svg.php b/safe-svg.php index 7b52e264..98727afc 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -78,7 +78,7 @@ function __construct() { add_filter( 'wp_generate_attachment_metadata', array( $this, 'skip_svg_regeneration' ), 10, 2 ); add_filter( 'plugin_action_links_' . plugin_basename( __FILE__ ), array( $this, 'add_upgrade_link' ) ); add_filter( 'wp_get_attachment_metadata', array( $this, 'metadata_error_fix' ), 10, 2 ); - add_filter( 'wp_get_attachment_image_attributes', array( $this, 'fix_direct_image_output' ), 10, 3 ); + add_filter( 'wp_calculate_image_srcset_meta', array( $this, 'disable_srcset' ), 10, 4 ); } /** @@ -270,11 +270,13 @@ public function fix_admin_preview( $response, $attachment, $meta ) { */ public function one_pixel_fix( $image, $attachment_id, $size, $icon ) { if ( get_post_mime_type( $attachment_id ) === 'image/svg+xml' ) { - if ( empty( $image[1] ) ) { - $image[1] = 100; - } + $dimensions = $this->svg_dimensions( get_attached_file( $attachment_id ) ); - if ( empty( $image[2] ) ) { + if ( $dimensions ) { + $image[1] = $dimensions['width']; + $image[2] = $dimensions['height']; + } else { + $image[1] = 100; $image[2] = 100; } } @@ -486,39 +488,26 @@ protected function svg_dimensions( $svg ) { } /** - * Fix the output of images using wp_get_attachment_image + * Disable the creation of srcset on SVG images. * - * @param array $attr Attributes for the image markup. - * @param WP_Post $attachment Image attachment post. - * @param string|array $size Requested size. Image size or array of width and height values - * (in that order). Default 'thumbnail'. + * @param array $image_meta The image meta data. + * @param int[] $size_array { + * An array of requested width and height values. + * + * @type int $0 The width in pixels. + * @type int $1 The height in pixels. + * } + * @param string $image_src The 'src' of the image. + * @param int $attachment_id The image attachment ID. */ - public function fix_direct_image_output( $attr, $attachment, $size = 'thumbnail' ) { - - // If we're not getting a WP_Post object, bail early. - // @see https://wordpress.org/support/topic/notice-trying-to-get-property-id/ - if ( ! $attachment instanceof WP_Post ) { - return $attr; + public function disable_srcset( $image_meta, $size_array, $image_src, $attachment_id ) { + if ( $attachment_id && 'image/svg+xml' === get_post_mime_type( $attachment_id ) ) { + $image_meta['sizes'] = array(); } - $mime = get_post_mime_type( $attachment->ID ); - if ( 'image/svg+xml' === $mime ) { - $default_height = 100; - $default_width = 100; - - $dimensions = $this->svg_dimensions( get_attached_file( $attachment->ID ) ); - - if ( $dimensions ) { - $default_height = $dimensions['height']; - $default_width = $dimensions['width']; - } - - $attr['height'] = $default_height; - $attr['width'] = $default_width; - } - - return $attr; + return $image_meta; } + } } From 1aa7eb533b3590e41128acd90a4e8945ab58bf6b Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Fri, 11 Mar 2022 11:39:20 -0700 Subject: [PATCH 04/12] Default to using the viewbox attributes first for SVG dimensions, to maintain backwards compat. Add a new filter that can be used to default to using the height and width attributes first instead --- safe-svg.php | 41 ++++++++++++++++++++++++++++++++++------- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/safe-svg.php b/safe-svg.php index 7b52e264..a2016f6e 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -454,7 +454,7 @@ function metadata_error_fix( $data, $post_id ) { /** * Get SVG size from the width/height or viewport. * - * @param $svg + * @param string|false $svg The file path to where the SVG file should be, false otherwise. * * @return array|bool */ @@ -464,16 +464,43 @@ protected function svg_dimensions( $svg ) { $height = 0; if ( $svg ) { $attributes = $svg->attributes(); - if ( isset( $attributes->width, $attributes->height ) && is_numeric( (float)$attributes->width ) && is_numeric( (float)$attributes->height ) ) { - $width = floatval( $attributes->width ); - $height = floatval( $attributes->height ); - } elseif ( isset( $attributes->viewBox ) ) { + + if ( isset( $attributes->viewBox ) ) { $sizes = explode( ' ', $attributes->viewBox ); if ( isset( $sizes[2], $sizes[3] ) ) { - $width = floatval( $sizes[2] ); - $height = floatval( $sizes[3] ); + $viewbox_width = floatval( $sizes[2] ); + $viewbox_height = floatval( $sizes[3] ); } + } + + if ( isset( $attributes->width, $attributes->height ) && is_numeric( (float) $attributes->width ) && is_numeric( (float) $attributes->height ) ) { + $attr_width = floatval( $attributes->width ); + $attr_height = floatval( $attributes->height ); + } + + /** + * Use the width and height attributes of the SVG for the image tag dimensions. + * + * We default to using the parameters in the viewbox attribute but + * that can be overridden using this filter if you'd prefer to use + * the width and height attributes. + * + * @hook safe_svg_use_width_height_attributes + * + * @param bool $false If the width & height attributes should be used first. Default false. + * @param string $svg The file path to the SVG. + * + * @return bool If we should use the width & height attributes first or not. + */ + if ( (bool) apply_filters( 'safe_svg_use_width_height_attributes', false, $svg ) ) { + $width = $attr_width; + $height = $attr_height; } else { + $width = $viewbox_width; + $height = $viewbox_height; + } + + if ( ! $width && ! $height ) { return false; } } From be5d788cd4de4a1dca3f89509e3aa36bc416ad42 Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Fri, 11 Mar 2022 12:36:00 -0700 Subject: [PATCH 05/12] Update docblock --- safe-svg.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/safe-svg.php b/safe-svg.php index a2016f6e..4c153753 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -479,7 +479,7 @@ protected function svg_dimensions( $svg ) { } /** - * Use the width and height attributes of the SVG for the image tag dimensions. + * Decide which attributes of the SVG we use first for image tag dimensions. * * We default to using the parameters in the viewbox attribute but * that can be overridden using this filter if you'd prefer to use From 50371a62315c1d669baaac001eba20d078c49fdc Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Fri, 11 Mar 2022 13:23:27 -0700 Subject: [PATCH 06/12] Ensure we don't use the height and width attributes if they are a percenta --- safe-svg.php | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/safe-svg.php b/safe-svg.php index 4c153753..a0c60fdb 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -473,7 +473,7 @@ protected function svg_dimensions( $svg ) { } } - if ( isset( $attributes->width, $attributes->height ) && is_numeric( (float) $attributes->width ) && is_numeric( (float) $attributes->height ) ) { + if ( isset( $attributes->width, $attributes->height ) && is_numeric( (float) $attributes->width ) && is_numeric( (float) $attributes->height ) && ! $this->str_ends_with( (string) $attributes->width, '%' ) && ! $this->str_ends_with( (string) $attributes->height, '%' ) ) { $attr_width = floatval( $attributes->width ); $attr_height = floatval( $attributes->height ); } @@ -546,6 +546,30 @@ public function fix_direct_image_output( $attr, $attachment, $size = 'thumbnail' return $attr; } + + /** + * Polyfill for `str_ends_with()` function added in PHP 8.0. + * + * Performs a case-sensitive check indicating if + * the haystack ends with needle. + * + * @param string $haystack The string to search in. + * @param string $needle The substring to search for in the `$haystack`. + * @return bool True if `$haystack` ends with `$needle`, otherwise false. + */ + protected function str_ends_with( $haystack, $needle ) { + if ( function_exists( 'str_ends_with' ) ) { + return str_ends_with( $haystack, $needle ); + } + + if ( '' === $haystack && '' !== $needle ) { + return false; + } + + $len = strlen( $needle ); + return 0 === substr_compare( $haystack, $needle, -$len, $len ); + } + } } From ccd7bcbfc843d4fbd25e3a4cf9365f919dac2428 Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Wed, 16 Mar 2022 09:14:36 -0600 Subject: [PATCH 07/12] Ensure we have a proper file path and file name before we try using them --- safe-svg.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/safe-svg.php b/safe-svg.php index 7b52e264..e486b435 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -133,7 +133,13 @@ public function fix_mime_type_svg( $data = null, $file = null, $filename = null, */ public function check_for_svg( $file ) { - $wp_filetype = wp_check_filetype_and_ext( $file['tmp_name'], $file['name'] ); + // Ensure we have a proper file path before processing + if ( ! isset( $file['tmp_name'] ) ) { + return $file; + } + + $file_name = isset( $file['name'] ) ? $file['name'] : ''; + $wp_filetype = wp_check_filetype_and_ext( $file['tmp_name'], $file_name ); $type = ! empty( $wp_filetype['type'] ) ? $wp_filetype['type'] : ''; if ( $type === 'image/svg+xml' ) { From b44ce7be6c14f377008400c7aacec2da573b9591 Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Wed, 16 Mar 2022 09:23:26 -0600 Subject: [PATCH 08/12] Update safe-svg.php Co-authored-by: Peter Wilson <519727+peterwilsoncc@users.noreply.github.com> --- safe-svg.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/safe-svg.php b/safe-svg.php index a0c60fdb..d6445411 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -487,10 +487,10 @@ protected function svg_dimensions( $svg ) { * * @hook safe_svg_use_width_height_attributes * - * @param bool $false If the width & height attributes should be used first. Default false. - * @param string $svg The file path to the SVG. + * @param {bool} $false If the width & height attributes should be used first. Default false. + * @param {string} $svg The file path to the SVG. * - * @return bool If we should use the width & height attributes first or not. + * @return {bool} If we should use the width & height attributes first or not. */ if ( (bool) apply_filters( 'safe_svg_use_width_height_attributes', false, $svg ) ) { $width = $attr_width; From 202ccfe7c92303805800aaadf5a960ada7f03b2c Mon Sep 17 00:00:00 2001 From: Jeffrey Paul Date: Tue, 5 Apr 2022 14:13:16 -0500 Subject: [PATCH 09/12] version bump to 2.0.0 --- readme.txt | 2 +- safe-svg.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.txt b/readme.txt index 83ddb806..ae18e00b 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: 10up, enshrined Tags: svg, sanitize, upload, sanitise, security, svg upload, image, vector, file, graphic, media, mime Requires at least: 4.7 Tested up to: 5.9 -Stable tag: 1.9.10 +Stable tag: 2.0.0 Requires PHP: 7.0 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html diff --git a/safe-svg.php b/safe-svg.php index 5d53fdb6..49c59a2f 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -3,7 +3,7 @@ * Plugin Name: Safe SVG * Plugin URI: https://wpsvg.com/ * Description: Allows SVG uploads into WordPress and sanitizes the SVG before saving it - * Version: 1.9.10 + * Version: 2.0.0 * Requires at least: 4.7 * Requires PHP: 7.0 * Author: 10up From 7ce9d604fbf5d2ab66852df38f8d0851bc3b2706 Mon Sep 17 00:00:00 2001 From: Jeffrey Paul Date: Tue, 5 Apr 2022 14:30:24 -0500 Subject: [PATCH 10/12] add 2.0.0 items to changelogs --- CHANGELOG.md | 13 +++++++++++++ readme.txt | 7 +++++++ 2 files changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 78a128ba..d8eb491b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file, per [the Ke ## [Unreleased] - TBD +## [2.0.0] - 2022-04-06 +### Added +- New filter, `safe_svg_use_width_height_attributes`, that can be used to change the order of attributes we use to determine the SVG dimensions (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#43](https://github.com/10up/safe-svg/pull/43)). + +### Changed +- Documentation updates (props [@j-hoffmann](https://github.com/j-hoffmann), [@jeffpaul](https://github.com/jeffpaul), [@Zodiac1978](https://github.com/Zodiac1978) via [#39](https://github.com/10up/safe-svg/pull/39), [#42](https://github.com/10up/safe-svg/pull/42)). + +### Fixed +- Use the `viewBox` attributes first for image dimensions. Ensure we don't use image dimensions that end with percent signs (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#43](https://github.com/10up/safe-svg/pull/43)). +- Make sure we use the full size SVG dimensions rather than the requested size, to avoid wrong sizes being used and duplicate height and width attributes (props [@dkotter](https://github.com/dkotter), [@cadic](https://github.com/cadic) via [#44](https://github.com/10up/safe-svg/pull/44)). +- Ensure the `tmp_name` and `name` properties exist before we use them (props [@dkotter](https://github.com/dkotter), [@aksld](https://github.com/aksld) via [#46](https://github.com/10up/safe-svg/pull/46)). + ## [1.9.10] - 2022-02-23 **Note that this release bumps the WordPress minimum version from 4.0 to 4.7 and the PHP minimum version from 5.6 to 7.0.** @@ -186,6 +198,7 @@ All notable changes to this project will be documented in this file, per [the Ke - Initial Release. [Unreleased]: https://github.com/10up/safe-svg/compare/trunk...develop +[2.0.0]: https://github.com/10up/safe-svg/compare/1.9.10...2.0.0 [1.9.10]: https://github.com/10up/safe-svg/compare/1.9.9...1.9.10 [1.9.9]: https://github.com/10up/safe-svg/compare/1.9.8...1.9.9 [1.9.8]: https://github.com/10up/safe-svg/compare/1.9.7...1.9.8 diff --git a/readme.txt b/readme.txt index ae18e00b..61c87bfb 100644 --- a/readme.txt +++ b/readme.txt @@ -66,6 +66,13 @@ They take one argument that must be returned. See below for examples: == Changelog == += 2.0.0 - 2022-04-06 = +* **Added:** New filter, `safe_svg_use_width_height_attributes`, that can be used to change the order of attributes we use to determine the SVG dimensions (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)). +* **Changed:** Documentation updates (props [@j-hoffmann](https://github.com/j-hoffmann), [@jeffpaul](https://github.com/jeffpaul), [@Zodiac1978](https://github.com/Zodiac1978)). +* **Fixed:** Use the `viewBox` attributes first for image dimensions. Ensure we don't use image dimensions that end with percent signs (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)). +* **Fixed:** Make sure we use the full size SVG dimensions rather than the requested size, to avoid wrong sizes being used and duplicate height and width attributes (props [@dkotter](https://github.com/dkotter), [@cadic](https://github.com/cadic)). +* **Fixed:** Ensure the `tmp_name` and `name` properties exist before we use them (props [@dkotter](https://github.com/dkotter), [@aksld](https://github.com/aksld)). + = 1.9.10 - 2022-02-23 = **Note that this release bumps the WordPress minimum version from 4.0 to 4.7 and the PHP minimum version from 5.6 to 7.0.** From db0073db6c8f4cb3df23498b645c8a7f4dbcbd1e Mon Sep 17 00:00:00 2001 From: Jeffrey Paul Date: Tue, 5 Apr 2022 14:34:36 -0500 Subject: [PATCH 11/12] Update CREDITS.md --- CREDITS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CREDITS.md b/CREDITS.md index 94c04968..f2e08f79 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc. -[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann), [@j-hoffmann](https://github.com/j-hoffmann). +[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann), [@j-hoffmann](https://github.com/j-hoffmann), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Torsten Landsiedel (@Zodiac1978)](https://github.com/Zodiac1978), [Axel DUCORON (@aksld)](https://github.com/aksld). ## Libraries From 29aa09ab2ee62d0d6b56e46eb9e1a499b19a471c Mon Sep 17 00:00:00 2001 From: Jeffrey Paul Date: Tue, 5 Apr 2022 14:49:20 -0500 Subject: [PATCH 12/12] update header fields --- composer.json | 12 +++++++++++- safe-svg.php | 4 ++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/composer.json b/composer.json index 22b907ce..6cc87014 100644 --- a/composer.json +++ b/composer.json @@ -2,11 +2,21 @@ "name": "darylldoyle/safe-svg", "description": "Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website", "type": "wordpress-plugin", + "homepage": "https://github.com/10up/safe-svg", + "readme": "https://github.com/10up/safe-svg/blob/develop/README.md", "license": "GPL-2.0-or-later", "authors": [ + { + "name": "10up", + "email": "opensource@10up.com", + "homepage": "https://10up.com/", + "role": "Developer" + }, { "name": "Daryll Doyle", - "homepage": "https://wpsvg.com/" + "email": "daryll@enshrined.co.uk", + "homepage": "http://enshrined.co.uk/", + "role": "Developer" } ], "require": { diff --git a/safe-svg.php b/safe-svg.php index 49c59a2f..37069a9f 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -1,8 +1,8 @@