add xml-parser to detect any svg content, with or without mimetype

ensdomains · May 14, 2024 · 8b326ed · 8b326ed
1 parent 67a54f3
commit 8b326ed
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -21,12 +21,12 @@
  "emoji-regex": "^10.1.0",
  "ethers": "6.12.0",
  "express": "^4.18.1",
+ "fast-xml-parser": "^4.3.6",
  "google-auth-library": "^8.1.0",
  "graphql": "^16.5.0",
  "graphql-request": "^4.3.0",
  "helmet": "^6.1.5",
  "ioredis": "^5.3.2",
- "is-svg": "^4.3.2",
  "jsdom": "^19.0.0",
  "lodash": "^4.17.21",
  "multiformats": "^9.4.8",

diff --git a/src/service/avatar.ts b/src/service/avatar.ts
@@ -13,6 +13,7 @@ import {
  OPENSEA_API_KEY 
 } from '../config';
 import { abortableFetch } from '../utils/abortableFetch';
+import isSvg from '../utils/isSVG';
 
 const window = new JSDOM('').window;
 
@@ -91,7 +92,7 @@ export class AvatarMetadata {
  const mimeType = response?.headers.get('Content-Type');
  const data = await response?.buffer();
 
- if (mimeType?.includes('svg')) {
+ if (mimeType?.includes('svg') || isSvg(data.toString())) {
  const DOMPurify = createDOMPurify(window);
  const cleanData = DOMPurify.sanitize(data.toString());
  return [Buffer.from(cleanData), mimeType];

diff --git a/src/utils/isSVG.ts b/src/utils/isSVG.ts
@@ -0,0 +1,39 @@
+// @ref: https://github.com/sindresorhus/is-svg
+// @ref: https://github.com/sindresorhus/is-svg/pull/38
+import {XMLParser, XMLValidator} from 'fast-xml-parser';
+
+export default function isSvg(data: string) {
+ if (typeof data !== 'string') {
+ throw new TypeError(`Expected a \`string\`, got \`${typeof data}\``);
+ }
+
+ data = data.toLowerCase().trim();
+
+ if (data.length === 0) {
+ return false;
+ }
+
+ // Has to be `!==` as it can also return an object with error info.
+ if (XMLValidator.validate(data) !== true) {
+ return false;
+ }
+
+ let jsonObject;
+ const parser = new XMLParser();
+
+ try {
+ jsonObject = parser.parse(data);
+ } catch {
+ return false;
+ }
+
+ if (!jsonObject) {
+ return false;
+ }
+
+ if (!('svg' in jsonObject)) {
+ return false;
+ }
+
+ return true;
+}
diff --git a/yarn.lock b/yarn.lock
@@ -2511,7 +2511,7 @@ fast-text-encoding@^1.0.0:
  resolved "https://registry.yarnpkg.com/fast-text-encoding/-/fast-text-encoding-1.0.6.tgz#0aa25f7f638222e3396d72bf936afcf1d42d6867"
  integrity sha512-VhXlQgj9ioXCqGstD37E/HBeqEGV/qOD/kmbVG8h5xKBYvM1L3lR1Zn4555cQ8GkYbJa8aJSipLPndE1k6zK2w==
 
-fast-xml-parser@^4.1.3:
+fast-xml-parser@^4.1.3, fast-xml-parser@^4.3.6:
  version "4.3.6"
  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.3.6.tgz#190f9d99097f0c8f2d3a0e681a10404afca052ff"
  integrity sha512-M2SovcRxD4+vC493Uc2GZVcZaj66CCJhWurC4viynVSTvrpErCShNcDz1lAho6n9REQKvL/ll4A4/fw6Y9z8nw==