From ca4fb2f33565205a735db5625d04d7c1a69cf41b Mon Sep 17 00:00:00 2001
From: Thomas KLEIN <tomak@dnd.fr>
Date: Fri, 28 Mar 2025 15:46:42 +0100
Subject: [PATCH] Fix #39

---
 Model/Api/MediaContentValidator.php | 59 +++++++++++++++++++++++++++++
 etc/di.xml                          |  4 +-
 2 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 Model/Api/MediaContentValidator.php

diff --git a/Model/Api/MediaContentValidator.php b/Model/Api/MediaContentValidator.php
new file mode 100644
index 0000000..48da725
--- /dev/null
+++ b/Model/Api/MediaContentValidator.php
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Copyright © MagestyApps. All rights reserved.
+ * See LICENSE.txt for license details.
+ */
+
+namespace MagestyApps\WebImages\Model\Api;
+
+use Magento\Framework\Api\Data\ImageContentInterface;
+use Magento\Framework\Api\ImageContentValidator;
+use Magento\Framework\Api\ImageContentValidatorInterface;
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Phrase;
+
+class MediaContentValidator implements ImageContentValidatorInterface
+{
+    public function __construct(
+        private ImageContentValidator $imageContentValidator,
+    ) {}
+
+    public function isValid(ImageContentInterface $imageContent): bool
+    {
+        return $this->isSvgContent($imageContent) && $this->isAllowed($imageContent)
+            ? $this->isValidSvg($imageContent)
+            : $this->imageContentValidator->isValid($imageContent);
+    }
+
+    /**
+     * Skip image size check in case of svg image, SVGs are not compatible with getimagesizefromstring
+     * Use it at your own risk! This method does not sanitize the SVG content and malicious code can be pushed!
+     *
+     * @throws InputException
+     * @see ImageContentValidator::isValid
+     */
+    private function isValidSvg(ImageContentInterface $imageContent): bool
+    {
+        $imageName = (string)$imageContent->getName();
+        if ($imageName !== '' && preg_match('/^[^\\/?*:";<>()|{}\\\\]+$/', $imageName) === 1) {
+            throw new InputException(new Phrase('Provided image name contains forbidden characters.'));
+        }
+
+        return true;
+    }
+
+    private function isSvgContent(ImageContentInterface $imageContent): bool
+    {
+        $fileContent = @base64_decode($imageContent->getBase64EncodedData(), true);
+
+        return str_starts_with($fileContent, '<svg ') && str_ends_with($fileContent, '</svg>');
+    }
+
+    private function isAllowed(ImageContentInterface $imageContent): bool
+    {
+        return in_array($imageContent->getType(), ['svg-xml', 'svg'], true);
+    }
+}
diff --git a/etc/di.xml b/etc/di.xml
index 3ad6f0f..826195b 100644
--- a/etc/di.xml
+++ b/etc/di.xml
@@ -81,7 +81,6 @@
     <type name="Magento\Cms\Controller\Adminhtml\Wysiwyg\Directive">
         <plugin name="allow-web-images" type="MagestyApps\WebImages\Plugin\Controller\Adminhtml\Wysiwyg\DirectivePlugin" />
     </type>
-
     <type name="Magento\Theme\Model\Design\Backend\Logo">
         <plugin name="allow-web-images" type="MagestyApps\WebImages\Plugin\Design\Backend\ImagePlugin" />
     </type>
@@ -91,11 +90,9 @@
     <type name="Magento\Theme\Model\Design\Backend\Image">
         <plugin name="allow-web-images" type="MagestyApps\WebImages\Plugin\Design\Backend\ImagePlugin" />
     </type>
-
     <type name="Magento\Swatches\Helper\Media">
         <plugin name="allow-web-images" type="MagestyApps\WebImages\Plugin\Swatches\Helper\MediaPlugin" />
     </type>
-
     <type name="Magento\MediaGallerySynchronization\Model\CreateAssetFromFile">
         <arguments>
             <argument name="assetFactory" xsi:type="object">MagestyApps\WebImages\Model\AssetFactory</argument>
@@ -106,4 +103,5 @@
             <argument name="uploaderFactory" xsi:type="object">MagestyApps\WebImages\Model\File\UploaderFactory</argument>
         </arguments>
     </type>
+    <preference for="Magento\Framework\Api\ImageContentValidatorInterface" type="MagestyApps\WebImages\Model\Api\MediaContentValidator"/>
 </config>