Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot save page after SVG upload #3791

Open
Karthons opened this issue Jan 20, 2024 · 3 comments
Open

Cannot save page after SVG upload #3791

Karthons opened this issue Jan 20, 2024 · 3 comments
Assignees
@rhukster
Labels
cannot replicate

Comments

@Karthons
Copy link

Karthons commented Jan 20, 2024
edited
Loading

When I upload a specific SVG to a custom modular (see comment below), the page will display the following error:

Failed to save entry: SVG file XSS check failed on on_events

TypeError: can't convert undefined to object after using defaultProps

After displaying this error, the page cannot be saved anymore.

Here is the SVG:
svg_that_triggers_grav_error

I believe that some XSS feature is recognizing that there are "xlink:href" and < defs >. This happened to me because I had exported an SVG that contained "meshes" from Adobe Illustrator.

Now how to resolve this (for me):

  • delete the cache folder
  • open site in private browser (or delete your cookies / cache of your site). It seems that the error still gets displayed even when the image gets deleted, some information is stored in the browser that causes this infinite message.
  • now saving works again
  • to reupload the SVG, delete all the < images > in your svg and remove the "< defs >" tags.
@rhukster rhukster self-assigned this Apr 12, 2024
@rhukster
Copy link
Member

Ive tested with latest Grav and can't replicate this with your SVG.

@Karthons
Copy link
Author

Thank you for looking into this. I was not clear enough in my instructions:

  • create a custom modular blueprint (here is mine):
title: Offerings
@extends': default

form:
 fields:
   tabs:
     fields:
       content:
         fields:
           section1:
             type: section
             title: Section 1
             fields:
               header.image1:
                type: file
                label: Image
                destination: 'self@'
                multiple: false
                accept:
                  - image/*
  • set a page to modular and add this modular to the page
  • upload my svg to this header.image1 field -> the error message should appear

I downloaded latest Grav and was able to reproduce it again.

@Currey
Copy link

Currey commented Nov 22, 2024

I have also come across this issue. I have a similar setup: a file field saving to self@ within a modular blueprint. I also get the Failed to save entry: SVG file XSS check failed on on_events error on page save.

The svg I am attempting to save is fairly benign, but it does have the xmlns attribute in the svg tag: xmlns="http://www.w3.org/2000/svg".

sanitize_svg is set to true in /user/config/security.yaml. If I set this to false, the svg file saves to the page correctly. Ideally, I wish to keep sanitize_svg on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhukster rhukster

Labels
cannot replicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhukster @Currey @Karthons