[5.x] Sanitize SVG Tag Output by Default (#9575)

statamic · Feb 23, 2024 · 0f3cb3b · 0f3cb3b
1 parent 45d7b79
commit 0f3cb3b
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/src/Tags/Svg.php b/src/Tags/Svg.php
@@ -48,7 +48,7 @@ public function index()
             $svg = $this->params->get('src');
         }
 
-        $attributes = $this->renderAttributesFromParams(['src', 'title', 'desc']);
+        $attributes = $this->renderAttributesFromParams(['src', 'title', 'desc', 'sanitize']);
 
         if ($this->params->get('title') || $this->params->get('desc')) {
             $svg = $this->setTitleAndDesc($svg);
@@ -91,7 +91,7 @@ private function setTitleAndDesc($svg)
 
     private function sanitize($svg)
     {
-        if ($this->params->bool('sanitize') === false) {
+        if ($this->params->bool('sanitize', true) === false) {
             return $svg;
         }
 

diff --git a/tests/Fieldtypes/IconTest.php b/tests/Fieldtypes/IconTest.php
@@ -21,7 +21,7 @@ public function it_finds_default_icons()
     /** @test */
     public function it_accepts_svg_strings()
     {
-        $result = (string) Antlers::parse('{{ svg :src="test" class="w-4 h-4" }}', ['test' => new Value('add', $this->fieldtype())]);
+        $result = (string) Antlers::parse('{{ svg :src="test" class="w-4 h-4" sanitize="false" }}', ['test' => new Value('add', $this->fieldtype())]);
 
         $this->assertStringContainsString('<svg class="w-4 h-4"', $result);
     }

diff --git a/tests/Tags/SvgTagTest.php b/tests/Tags/SvgTagTest.php
@@ -30,7 +30,7 @@ public function it_renders_svg()
     /** @test */
     public function it_renders_svg_with_additional_params()
     {
-        $this->assertStringStartsWith('<svg class="mb-2" xmlns="', $this->tag('{{ svg src="users" class="mb-2" }}'));
+        $this->assertStringStartsWith('<svg class="mb-2" xmlns="', $this->tag('{{ svg src="users" sanitize="false" class="mb-2" }}'));
     }
 
     /** @test */
@@ -47,12 +47,12 @@ public function it_sanitizes()
 
         $this->assertEquals(
             '<svg><path/></svg>',
-            $this->tag('{{ svg src="xss" sanitize="true" }}')
+            $this->tag('{{ svg src="xss" }}')
         );
 
         $this->assertEquals(
             '<svg><path onclick="clickxss"/><foreignObject/><mesh/></svg>',
-            $this->tag('{{ svg src="xss" sanitize="true" allow_tags="mesh|foreignObject" allow_attrs="onclick" }}')
+            $this->tag('{{ svg src="xss" allow_tags="mesh|foreignObject" allow_attrs="onclick" }}')
         );
     }
 
@@ -77,6 +77,6 @@ public function sanitizing_doesnt_remove_an_xml_tag()
 
         File::put(resource_path('xmltag.svg'), $svg);
 
-        $this->assertEquals($svg, $this->tag('{{ svg src="xmltag" sanitize="true" }}'));
+        $this->assertEquals($svg, $this->tag('{{ svg src="xmltag" }}'));
     }
 }