Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[11.x] Backport of Prevent XSS vulnerabilities by excluding SVGs by default in image validation #54345

Closed
wants to merge 5 commits into from
Closed

[11.x] Backport of Prevent XSS vulnerabilities by excluding SVGs by default in image validation #54345

wants to merge 5 commits into from
+106 −8

Conversation

SanderMuller
Copy link
Contributor

Backport of #54331 to 11.x

This patch introduces the security enhancement from #54331, preventing XSS vulnerabilities by excluding SVG files from ImageFile validation by default.

To maintain backward compatibility, SVG files are still allowed by default in Laravel 11.x. However, a new static method, ImageFile::allowSvg(allowByDefault: false), is introduced. This method can be used to disable SVG validation globally, aligning the behavior with Laravel 12.x.

Usage

To enforce the new behavior globally, add the following to your AppServiceProvider:

use Illuminate\Validation\Rules\ImageFile;

public function boot()
{
    ImageFile::allowSvg(allowByDefault: false);
}

Benefits

  • Enhanced Security: Mitigates potential XSS vulnerabilities by providing an option to exclude SVG files from image validation.
  • Backward Compatibility: The change preserves the default behavior in Laravel 11.x, allowing SVGs unless explicitly disabled.
  • Upgrade Readiness: Introduces an optional configuration to align with Laravel 12.x behavior, simplifying future upgrades.
  • Global Configuration: Provides a straightforward method to enforce stricter validation across your application with a single setting.

SanderMuller and others added 4 commits January 24, 2025 21:51
@SanderMuller @taylorotwell
[12.x] Prevent XSS vulnerabilities by excluding SVGs by default in im…
e2cd1d9 
…age validation (laravel#54331)

* Prevent XSS through SVG image validation

* Apply by default in validateImage

* formatting

---------

Co-authored-by: Taylor Otwell <taylor@laravel.com>
@SanderMuller
Allow SVG by default and add ImageFile::allowSvg(allowByDefault: fals…
715e3d4 
…e); to get 12.x behaviour
@SanderMuller
Update ValidationValidatorTest.php
18fb555
@SanderMuller
Update ValidationValidatorTest.php
76a6f62
crynobone
crynobone reviewed Jan 25, 2025
View reviewed changes
src/Illuminate/Validation/Rules/ImageFile.php
@@ -4,20 +4,35 @@

class ImageFile extends File
{
public static $allowSvgByDefault = true;

public static function allowSvg($allowByDefault = true)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not make allowSvgByDefault(bool) and disallowSvgByDefault(bool)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oversight, will add!

@taylorotwell
Copy link
Member

Because users have to literally inline render the user provided SVGs, I'm not going to backport this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crynobone crynobone Awaiting requested review from crynobone

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SanderMuller @taylorotwell @crynobone