public function FileUploadSvgTestCase::testSVGFileUploadValidation

1 file.test public FileUploadSvgTestCase::testSVGFileUploadValidation()
Test SVG upload validation.
File

core/modules/file/tests/file.test, line 2682: Tests for file.module.
Class

FileUploadSvgTestCase: Tests validation of SVG uploads.
Code

public function testSVGFileUploadValidation() {
  $default_content = '<rect width="400" height="400" fill="#93a7ac"/>';
  $default_open_tag = '<svg width="400" height="400" version="1.1" viewBox="0 0 400 400" xmlns="http://www.w3.org/2000/svg">';
  // cspell:disable-next-line
  $a_tag_svg_href_content = '%3Csvg+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22+onload%3D%22alert%281%29%22%3E%3C%2Fsvg%3E';

  $samples = array(
    'valid' => array(
      'contents' => $default_open_tag . $default_content . '</svg>',
      'message' => 'was uploaded.',
    ),
    'no_dimensions' => array(
      'contents' => '<svg version="1.1" viewBox="0 0 400 400" xmlns="http://www.w3.org/2000/svg">' . $default_content . '</svg>',
      'message' => 'was uploaded.',
    ),
    'no_namespace_script' => array(
      'contents' => '<svg><script>alert(1)</script>' . $default_content . '</svg>',
      'message' => 'could not be uploaded. Invalid SVG namespace.',
    ),
    'invalid_namespace' => array(
      'contents' => $default_open_tag . '<g xmlns="invalid ns"/>' . $default_content . '</svg>',
      'message' => 'could not be uploaded. Invalid SVG file.',
    ),
    'broken' => array(
      'contents' => $default_open_tag . '<g>' . $default_content . '</svg>',
      'message' => 'could not be uploaded. Invalid SVG file.',
    ),
    'not_svg' => array(
      'contents' => '<xml><foobar/></xml>',
      'message' => 'could not be uploaded. Invalid SVG namespace.',
    ),
    'onevent' => array(
      'contents' => $default_open_tag . '<rect width="400" height="400" onload="alert(1)" fill="#93a7ac"/></svg>',
      'message' => 'could not be uploaded. Dangerous content found.',
    ),
    'iframe' => array(
      'contents' => $default_open_tag . $default_content . '<foreignObject x="20" y="20" width="220" height="220"><iframe src="https://example.org/" width="220" height="220"></iframe></foreignObject></svg>',
      'message' => 'could not be uploaded. Dangerous content found.',
    ),
    'script' => array(
      'contents' => $default_open_tag . $default_content . '<script>alert(1)</script></svg>',
      'message' => 'could not be uploaded. Dangerous content found.',
    ),
    'xlink_script' => array(
      'contents' => '<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><a xlink:href="javascript:alert(1)">test</a>' . $default_content . '</svg>',
      'message' => 'could not be uploaded. Dangerous content found.',
    ),
    'link_data' => array(
      'contents' => $default_open_tag . $default_content . '<a href="data:image/svg+xml,' . $a_tag_svg_href_content . '"></a></svg>',
      'message' => 'could not be uploaded. Dangerous content found.',
    ),
  );

  foreach ($samples as $sample => $settings) {
    $filename = $sample . '.svg';
    $filepath = $this->createSvgFile($settings + array('filepath' => $filename));

    // Upload an SVG file.
    $edit = array();
    $edit['files[upload]'] = backdrop_realpath($filepath);
    $this->backdropPost('file/add', $edit, t('Next'));

    // Check that the file exists in the database.
    $fid = $this->getLastFileId();
    $file = file_load($fid);
    $this->assertTrue($file, t('SVG file found in database.'));

    // Check that the SVG file has been validated.
    $this->assertRaw(t('%name ' . $settings['message'], array('%name' => $filename)), t('File validated.'));
  }

}