laravel · SanderMuller · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025
diff --git a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
@@ -23,6 +23,7 @@
 use Illuminate\Support\Facades\Date;
 use Illuminate\Support\Str;
 use Illuminate\Validation\Rules\Exists;
+use Illuminate\Validation\Rules\ImageFile;
 use Illuminate\Validation\Rules\Unique;
 use Illuminate\Validation\ValidationData;
 use InvalidArgumentException;
@@ -1387,11 +1388,18 @@ public function validateHexColor($attribute, $value)
      *
      * @param  string  $attribute
      * @param  mixed  $value
+     * @param  array<int, string>  $parameters
      * @return bool
      */
-    public function validateImage($attribute, $value)
+    public function validateImage($attribute, $value, $parameters = [])
     {
-        return $this->validateMimes($attribute, $value, ['jpg', 'jpeg', 'png', 'gif', 'bmp', 'svg', 'webp']);
+        $mimes = ['jpg', 'jpeg', 'png', 'gif', 'bmp', 'webp'];
+
+        if (ImageFile::$allowSvgByDefault || (is_array($parameters) && in_array('allow_svg', $parameters))) {
+            $mimes[] = 'svg';
+        }
+
+        return $this->validateMimes($attribute, $value, $mimes);
     }
 
     /**

diff --git a/src/Illuminate/Validation/Rule.php b/src/Illuminate/Validation/Rule.php
@@ -215,11 +215,12 @@ public static function file()
     /**
      * Get an image file rule builder instance.
      *
+     * @param  bool | null  $allowSvg
      * @return \Illuminate\Validation\Rules\ImageFile
      */
-    public static function imageFile()
+    public static function imageFile($allowSvg = null)
     {
-        return new ImageFile;
+        return new ImageFile($allowSvg);
     }
 
     /**

diff --git a/src/Illuminate/Validation/Rules/File.php b/src/Illuminate/Validation/Rules/File.php
@@ -118,11 +118,12 @@ public static function default()
     /**
      * Limit the uploaded file to only image types.
      *
+     * @param  bool|null  $allowSvg
      * @return ImageFile
      */
-    public static function image()
+    public static function image($allowSvg = null)
     {
-        return new ImageFile();
+        return new ImageFile($allowSvg);
     }
 
     /**

diff --git a/src/Illuminate/Validation/Rules/ImageFile.php b/src/Illuminate/Validation/Rules/ImageFile.php
@@ -4,20 +4,46 @@
 
 class ImageFile extends File
 {
+    /**
+     * Indicates if SVG files are allowed by default.
+     *
+     * @var bool
+     */
+    public static $allowSvgByDefault = true;
+
+    /**
+     * Indicate whether SVG files are allowed by default.
+     *
+     * @param  bool  $allowByDefault
+     * @return void
+     */
+    public static function allowSvg($allowByDefault = true)
+    {
+        static::$allowSvgByDefault = $allowByDefault;
+    }
+
     /**
      * Create a new image file rule instance.
      *
+     * @param  bool|null  $allowSvg
      * @return void
      */
-    public function __construct()
+    public function __construct($allowSvg = null)
     {
-        $this->rules('image');
+        $allowSvg ??= static::$allowSvgByDefault;
+
+        if ($allowSvg) {
+            $this->rules('image:allow_svg');
+        } else {
+            $this->rules('image');
+        }
     }
 
     /**
      * The dimension constraints for the uploaded file.
      *
      * @param  \Illuminate\Validation\Rules\Dimensions  $dimensions
+     * @return $this
      */
     public function dimensions($dimensions)
     {

diff --git a/tests/Validation/ValidationFileRuleTest.php b/tests/Validation/ValidationFileRuleTest.php
@@ -8,7 +8,9 @@
 use Illuminate\Support\Facades\Facade;
 use Illuminate\Translation\ArrayLoader;
 use Illuminate\Translation\Translator;
+use Illuminate\Validation\Rule;
 use Illuminate\Validation\Rules\File;
+use Illuminate\Validation\Rules\ImageFile;
 use Illuminate\Validation\ValidationServiceProvider;
 use Illuminate\Validation\Validator;
 use PHPUnit\Framework\TestCase;
@@ -194,6 +196,50 @@ public function testImage()
         );
     }
 
+    public function testImageFailsOnSvgByDefault()
+    {
+        $maliciousSvgFileWithXSS = UploadedFile::fake()->createWithContent(
+            name: 'foo.svg',
+            content: <<<'XML'
+                    <svg xmlns="http://www.w3.org/2000/svg" width="383" height="97" viewBox="0 0 383 97">
+                        <text x="10" y="50" font-size="30" fill="black">XSS Logo</text>
+                        <script>alert('XSS');</script>
+                    </svg>
+                    XML
+        );
+
+        $this->passes(
+            File::image(),
+            $maliciousSvgFileWithXSS,
+        );
+        $this->passes(
+            Rule::imageFile(),
+            $maliciousSvgFileWithXSS,
+        );
+
+        ImageFile::allowSvg(allowByDefault: false);
+
+        $this->fails(
+            File::image(),
+            $maliciousSvgFileWithXSS,
+            ['validation.image']
+        );
+        $this->fails(
+            Rule::imageFile(),
+            $maliciousSvgFileWithXSS,
+            ['validation.image']
+        );
+
+        $this->passes(
+            File::image(allowSvg: true),
+            $maliciousSvgFileWithXSS
+        );
+        $this->passes(
+            Rule::imageFile(allowSvg: true),
+            $maliciousSvgFileWithXSS
+        );
+    }
+
     public function testSize()
     {
         $this->fails(

diff --git a/tests/Validation/ValidationValidatorTest.php b/tests/Validation/ValidationValidatorTest.php
@@ -25,6 +25,7 @@
 use Illuminate\Validation\DatabasePresenceVerifierInterface;
 use Illuminate\Validation\Rule as ValidationRule;
 use Illuminate\Validation\Rules\Exists;
+use Illuminate\Validation\Rules\ImageFile;
 use Illuminate\Validation\Rules\ProhibitedIf;
 use Illuminate\Validation\Rules\Unique;
 use Illuminate\Validation\ValidationData;
@@ -49,6 +50,7 @@ protected function tearDown(): void
 
         Carbon::setTestNow(null);
         m::close();
+        ImageFile::allowSvg(allowByDefault: true);
     }
 
     public function testNestedErrorMessagesAreRetrievedFromLocalArray()
@@ -4893,6 +4895,20 @@ public function testValidateImage()
         $v = new Validator($trans, ['x' => $file6], ['x' => 'image']);
         $this->assertTrue($v->passes());
 
+        ImageFile::allowSvg(allowByDefault: false);
+
+        $file6 = $this->getMockBuilder(UploadedFile::class)->onlyMethods(['guessExtension', 'getClientOriginalExtension'])->setConstructorArgs($uploadedFile)->getMock();
+        $file6->expects($this->any())->method('guessExtension')->willReturn('svg');
+        $file6->expects($this->any())->method('getClientOriginalExtension')->willReturn('svg');
+        $v = new Validator($trans, ['x' => $file6], ['x' => 'image']);
+        $this->assertFalse($v->passes());
+
+        $file6 = $this->getMockBuilder(UploadedFile::class)->onlyMethods(['guessExtension', 'getClientOriginalExtension'])->setConstructorArgs($uploadedFile)->getMock();
+        $file6->expects($this->any())->method('guessExtension')->willReturn('svg');
+        $file6->expects($this->any())->method('getClientOriginalExtension')->willReturn('svg');
+        $v = new Validator($trans, ['x' => $file6], ['x' => 'image:allow_svg']);
+        $this->assertTrue($v->passes());
+
         $file7 = $this->getMockBuilder(UploadedFile::class)->onlyMethods(['guessExtension', 'getClientOriginalExtension'])->setConstructorArgs($uploadedFile)->getMock();
         $file7->expects($this->any())->method('guessExtension')->willReturn('webp');
         $file7->expects($this->any())->method('getClientOriginalExtension')->willReturn('webp');