Changeset 3165151

Timestamp:

10/08/2024 05:25:16 PM (6 months ago)

Author:

Petrichorpost

Message:

Updated plugin to version 1.0.8 with new features and bug fixes.

Location:

svgplus/trunk

Files:

• includes/class-svgplus-sanitizer.php (modified) (7 diffs)
• readme.txt (modified) (4 diffs)
• svgplus.php (modified) (2 diffs)

svgplus/trunk/includes/class-svgplus-sanitizer.php

@@ -21 +21 @@
      */
     private static function set_allowed_elements($allow_animations) {
-        // Define base allowed elements
         self::$allowed_elements = [
+            // Core SVG Elements
             'svg' => ['xmlns', 'xmlns:xlink', 'width', 'height', 'viewBox', 'version', 'preserveAspectRatio', 'style', 'class', 'id'],
             'g' => ['transform', 'opacity', 'style', 'class', 'id'],
-            'path' => ['d', 'fill', 'stroke', 'stroke-width', 'transform', 'style', 'class', 'id'],
+            'defs' => ['class', 'id'],
+            'symbol' => ['id', 'viewBox', 'preserveAspectRatio', 'class'],
+            'use' => ['x', 'y', 'xlink:href', 'href', 'transform', 'style', 'class', 'id'],
+            'image' => ['x', 'y', 'width', 'height', 'xlink:href', 'href', 'preserveAspectRatio', 'transform', 'style', 'class', 'id'],
+
+            // Shapes
             'rect' => ['x', 'y', 'width', 'height', 'fill', 'stroke', 'stroke-width', 'rx', 'ry', 'transform', 'style', 'class', 'id'],
             'circle' => ['cx', 'cy', 'r', 'fill', 'stroke', 'stroke-width', 'transform', 'style', 'class', 'id'],
@@ -32 +37 @@
             'polyline' => ['points', 'fill', 'stroke', 'stroke-width', 'transform', 'style', 'class', 'id'],
             'polygon' => ['points', 'fill', 'stroke', 'stroke-width', 'transform', 'style', 'class', 'id'],
-            'text' => ['x', 'y', 'dx', 'dy', 'font-family', 'font-size', 'fill', 'stroke', 'stroke-width', 'transform', 'text-anchor', 'style', 'class', 'id'],
+            'path' => ['d', 'fill', 'stroke', 'stroke-width', 'transform', 'style', 'class', 'id'],
+
+            // Text
+            'text' => ['x', 'y', 'dx', 'dy', 'font-family', 'font-size', 'font-weight', 'fill', 'stroke', 'stroke-width', 'transform', 'text-anchor', 'style', 'class', 'id'],
             'tspan' => ['x', 'y', 'dx', 'dy', 'style', 'class', 'id'],
-            'defs' => ['class', 'id'],
-            'clipPath' => ['id', 'transform', 'class'],
-            'mask' => ['id', 'x', 'y', 'width', 'height', 'maskUnits', 'maskContentUnits', 'class'],
-            'linearGradient' => ['id', 'x1', 'y1', 'x2', 'y2', 'gradientUnits', 'gradientTransform', 'spreadMethod', 'class'],
-            'radialGradient' => ['id', 'cx', 'cy', 'r', 'fx', 'fy', 'gradientUnits', 'gradientTransform', 'spreadMethod', 'class'],
+            'textPath' => ['xlink:href', 'startOffset', 'method', 'spacing', 'style', 'class', 'id'],
+
+            // Gradient and Paint Servers
+            'linearGradient' => ['id', 'x1', 'y1', 'x2', 'y2', 'gradientUnits', 'gradientTransform', 'spreadMethod', 'style', 'class'],
+            'radialGradient' => ['id', 'cx', 'cy', 'r', 'fx', 'fy', 'gradientUnits', 'gradientTransform', 'spreadMethod', 'style', 'class'],
             'stop' => ['offset', 'stop-color', 'stop-opacity', 'style', 'class', 'id'],
-            'symbol' => ['id', 'viewBox', 'preserveAspectRatio', 'class'],
-            'use' => ['x', 'y', 'xlink:href', 'transform', 'style', 'class', 'id'],
-            'image' => ['x', 'y', 'width', 'height', 'xlink:href', 'href', 'preserveAspectRatio', 'transform', 'style', 'class', 'id'],
-            'pattern' => ['id', 'width', 'height', 'patternUnits', 'patternTransform', 'viewBox', 'preserveAspectRatio', 'xlink:href', 'class'],
-            'style' => ['type', 'media', 'title'],
+            'pattern' => ['id', 'width', 'height', 'patternUnits', 'patternTransform', 'viewBox', 'preserveAspectRatio', 'xlink:href', 'style', 'class'],
+
+            // Clipping and Masking
+            'clipPath' => ['id', 'clipPathUnits', 'transform', 'style', 'class'],
+            'mask' => ['id', 'x', 'y', 'width', 'height', 'maskUnits', 'maskContentUnits', 'style', 'class'],
+
+            // Filters and Effects
+            'filter' => ['id', 'filterUnits', 'x', 'y', 'width', 'height', 'primitiveUnits', 'class'],
+            'feBlend' => ['in', 'in2', 'mode', 'result', 'class'],
+            'feColorMatrix' => ['in', 'type', 'values', 'result', 'class'],
+            'feComponentTransfer' => ['in', 'result', 'class'],
+            'feComposite' => ['in', 'in2', 'operator', 'k1', 'k2', 'k3', 'k4', 'result', 'class'],
+            'feConvolveMatrix' => ['in', 'order', 'kernelMatrix', 'divisor', 'bias', 'targetX', 'targetY', 'edgeMode', 'kernelUnitLength', 'preserveAlpha', 'result', 'class'],
+            'feDiffuseLighting' => ['in', 'surfaceScale', 'diffuseConstant', 'kernelUnitLength', 'result', 'class'],
+            'feDisplacementMap' => ['in', 'in2', 'scale', 'xChannelSelector', 'yChannelSelector', 'result', 'class'],
+            'feDistantLight' => ['azimuth', 'elevation', 'class'],
+            'feDropShadow' => ['dx', 'dy', 'stdDeviation', 'flood-color', 'flood-opacity', 'result', 'class'],
+            'feFlood' => ['flood-color', 'flood-opacity', 'result', 'class'],
+            'feFuncA' => ['type', 'tableValues', 'slope', 'intercept', 'amplitude', 'exponent', 'offset', 'class'],
+            'feFuncB' => ['type', 'tableValues', 'slope', 'intercept', 'amplitude', 'exponent', 'offset', 'class'],
+            'feFuncG' => ['type', 'tableValues', 'slope', 'intercept', 'amplitude', 'exponent', 'offset', 'class'],
+            'feFuncR' => ['type', 'tableValues', 'slope', 'intercept', 'amplitude', 'exponent', 'offset', 'class'],
+            'feGaussianBlur' => ['in', 'stdDeviation', 'edgeMode', 'result', 'class'],
+            'feImage' => ['xlink:href', 'preserveAspectRatio', 'crossorigin', 'result', 'class'],
+            'feMerge' => ['result', 'class'],
+            'feMergeNode' => ['in', 'class'],
+            'feMorphology' => ['in', 'operator', 'radius', 'result', 'class'],
+            'feOffset' => ['in', 'dx', 'dy', 'result', 'class'],
+            'fePointLight' => ['x', 'y', 'z', 'class'],
+            'feSpecularLighting' => ['in', 'surfaceScale', 'specularConstant', 'specularExponent', 'kernelUnitLength', 'result', 'class'],
+            'feSpotLight' => ['x', 'y', 'z', 'pointsAtX', 'pointsAtY', 'pointsAtZ', 'specularExponent', 'limitingConeAngle', 'class'],
+            'feTile' => ['in', 'result', 'class'],
+            'feTurbulence' => ['baseFrequency', 'numOctaves', 'seed', 'stitchTiles', 'type', 'result', 'class'],
+
+            // Metadata Elements
             'metadata' => [],
             'desc' => [],
             'title' => [],
-            // Add more elements as needed
+
+            // Style Element
+            'style' => ['type', 'media', 'title'],
         ];
 
         if ($allow_animations) {
-            // MODIFIED: Added animation elements and attributes when animations are allowed
             $animation_elements = [
                 'animate' => ['attributeName', 'from', 'to', 'dur', 'repeatCount', 'begin', 'end', 'fill', 'values', 'keyTimes', 'keySplines', 'calcMode', 'keyPoints', 'restart', 'repeatDur'],
@@ -65 +104 @@
             self::$allowed_elements = array_merge(self::$allowed_elements, $animation_elements);
 
-            // Also, allow 'style' attribute
+            // Ensure 'style' attribute is allowed
             foreach (self::$allowed_elements as $element => $attributes) {
                 if (!in_array('style', $attributes)) {
@@ -81 +120 @@
      */
     public static function sanitize_svg($svg_content) {
-        // MODIFIED: Retrieve 'allow_animations' setting and set allowed elements accordingly
+        // Retrieve 'allow_animations' setting and set allowed elements accordingly
         $settings = get_option('svgplus_settings');
         $allow_animations = isset($settings['allow_animations']) ? $settings['allow_animations'] : 0;
@@ -164 +203 @@
                 }
 
+                // Conditionally allow 'style' attributes based on 'allow_animations' setting
                 if ($attr_name_lower === 'style') {
                     if (!$allow_animations) {
@@ -176 +216 @@
                 } else {
                     // Optionally, sanitize attribute values here
-                    // For example, ensure that URLs are safe
                     $attr_value = $node->getAttribute($attr_name);
                     $sanitized_value = self::sanitize_attribute($attr_name_lower, $attr_value);
@@ -216 +255 @@
             case 'fill':
             case 'stroke':
+            case 'stop-color':
+            case 'flood-color':
+            case 'lighting-color':
                 // Allow color values (e.g., #fff, rgb(255,255,255))
-                // Further validation can be added here
-                return htmlspecialchars($attr_value, ENT_QUOTES, 'UTF-8');
-            // Add more cases as needed
+                return htmlspecialchars($attr_value, ENT_QUOTES, 'UTF-8');
+            case 'd':
+            case 'points':
+            case 'path':
+            case 'keyPoints':
+                // Sanitize path data
+                return preg_replace('/[^0-9\.\-\s,mlzhvcsqtaMLZHVCSQTA]/', '', $attr_value);
+            case 'values':
+            case 'from':
+            case 'to':
+            case 'by':
+            case 'keyTimes':
+            case 'keySplines':
+                // Allow numeric sequences and functions
+                return htmlspecialchars($attr_value, ENT_QUOTES, 'UTF-8');
+            case 'dur':
+            case 'begin':
+            case 'end':
+            case 'repeatCount':
+            case 'repeatDur':
+            case 'calcMode':
+            case 'additive':
+            case 'accumulate':
+            case 'attributeName':
+            case 'attributeType':
+            case 'type':
+            case 'restart':
+            case 'fill':
+            case 'rotate':
+            case 'origin':
+                // Allow predefined values
+                return htmlspecialchars($attr_value, ENT_QUOTES, 'UTF-8');
             default:
                 return htmlspecialchars($attr_value, ENT_QUOTES, 'UTF-8');

svgplus/trunk/readme.txt

@@ -1 @@
-== SVGPlus ===
+=== SVGPlus ===
 Contributors: Rizonepress
 Tags: svg, vector graphics, media upload, shortcode, sanitization
 Requires at least: 5.0
 Tested up to: 6.6
-Stable tag: 1.0.7
+Stable tag: 1.0.8
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -44 +44 @@
    - **Via Shortcodes:** Use the `[svgplus id="123"]` shortcode within Elementor’s Shortcode widget to embed SVGs with additional customization options.
 
-
 ## Usage
 
@@ -60 +59 @@
 
 3. **Customize Shortcode (Optional):** Add additional parameters such as custom classes, alt text, and lazy loading:
-   ```[svgplus id="123" class="custom-svg-class" alt="Description of SVG" lazy="true"]```
+   ```[svgplus id="123" class="custom-svg-class" alt="Description of SVG" lazy="true"]
+
 
 ### Configuring Plugin Settings
@@ -83 +83 @@
 
 ## Changelog
+
+= 1.0.8 =
+
+* Comprehensive SVG Element Support: Expanded the list of allowed SVG elements and attributes in the sanitizer to include a complete set of SVG elements, including all filter elements and animation elements. This ensures compatibility with a wider range of SVG files and features.
+* Enhanced Animation Support: Completed the inclusion of all animation elements and their attributes, allowing for full support of SVG animations when enabled in the settings.
+* Improved Sanitization Logic: Updated the SVG sanitizer to support advanced SVG features like filters and animations while maintaining strict security measures. The sanitizer now properly handles a more extensive range of elements and attributes.
+* Security Enhancements: Ensured that the expanded support does not compromise security by maintaining robust sanitization and validation of SVG content.
 
 = 1.0.7 =

svgplus/trunk/svgplus.php

@@ -4 +4 @@
  * Plugin URI: https://rizonepress.com
  * Description: Securely upload and display SVG files with built-in sanitization and enhanced compatibility with Elementor.
- * Version: 1.0.6
+ * Version: 1.0.8
  * Author: <a href="https://rizonepress.com" target="_blank">Rizonepress.com</a>
  * Text Domain: svgplus
@@ -17 +17 @@
 
 // Define plugin constants
-define('SVGPLUS_VERSION', '1.0.6');
+define('SVGPLUS_VERSION', '1.0.8');
 define('SVGPLUS_PATH', plugin_dir_path(__FILE__));
 define('SVGPLUS_URL', plugin_dir_url(__FILE__));