From 8bcacaaa85cf4b862a257ee13e60ae5d443d3897 Mon Sep 17 00:00:00 2001 From: Jeffrey Paul Date: Wed, 6 Apr 2022 11:54:16 -0500 Subject: [PATCH 1/8] update license to proper GPLv2 format --- LICENSE.md | 40 ++++------------------------------------ 1 file changed, 4 insertions(+), 36 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 1d815b35..d159169d 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,39 +1,7 @@ -Safe SVG - Upload and sanitize SVGs within WordPress - -Copyright 2015 Daryll Doyle - -This program is free software; you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation; either version 2 of the License, or -(at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - -This program incorporates work covered by the following copyright and -permission notices: - - svg-sanitize is (c) 2015 Daryll Doyle - daryll@enshrined.co.uk - - http://enshrined.co.uk - - Wherever third party code has been used, credit has been given in the code's - comments. - - svg-sanitize is released under the GPL - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - GNU GENERAL PUBLIC LICENSE Version 2, June 1991 - Copyright (C) 1989, 1991 Free Software Foundation, Inc., + Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -322,8 +290,8 @@ to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. - {description} - Copyright (C) {year} {fullname} + + Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -361,7 +329,7 @@ necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. - {signature of Ty Coon}, 1 April 1989 + , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into From 99ab869d73acdf5c65c11c5884f5a24d25051aa0 Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Thu, 7 Apr 2022 07:53:33 -0600 Subject: [PATCH 2/8] Ensure our width and height variables exist before we use them to avoid throwing PHP warnings --- safe-svg.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/safe-svg.php b/safe-svg.php index 37069a9f..c4bd1557 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -501,11 +501,11 @@ protected function svg_dimensions( $svg ) { * @return {bool} If we should use the width & height attributes first or not. */ if ( (bool) apply_filters( 'safe_svg_use_width_height_attributes', false, $svg ) ) { - $width = $attr_width; - $height = $attr_height; + $width = $attr_width ?? 0; + $height = $attr_height ?? 0; } else { - $width = $viewbox_width; - $height = $viewbox_height; + $width = $viewbox_width ?? 0; + $height = $viewbox_height ?? 0; } if ( ! $width && ! $height ) { From dbb3e1c7d5550bc3ad254656a5d6e86df6869098 Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Thu, 7 Apr 2022 08:15:54 -0600 Subject: [PATCH 3/8] Better fallbacks if the attributes we want aren't set --- safe-svg.php | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/safe-svg.php b/safe-svg.php index c4bd1557..3007ae0c 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -500,12 +500,24 @@ protected function svg_dimensions( $svg ) { * * @return {bool} If we should use the width & height attributes first or not. */ - if ( (bool) apply_filters( 'safe_svg_use_width_height_attributes', false, $svg ) ) { - $width = $attr_width ?? 0; - $height = $attr_height ?? 0; + $use_width_height = (bool) apply_filters( 'safe_svg_use_width_height_attributes', false, $svg ); + + if ( $use_width_height ) { + if ( isset( $attr_width, $attr_height ) ) { + $width = $attr_width; + $height = $attr_height; + } elseif ( isset( $viewbox_width, $viewbox_height ) ) { + $width = $viewbox_width; + $height = $viewbox_height; + } } else { - $width = $viewbox_width ?? 0; - $height = $viewbox_height ?? 0; + if ( isset( $viewbox_width, $viewbox_height ) ) { + $width = $viewbox_width; + $height = $viewbox_height; + } elseif ( isset( $attr_width, $attr_height ) ) { + $width = $attr_width; + $height = $attr_height; + } } if ( ! $width && ! $height ) { From 7a5949cd0fc686fe0c0d342e935e683569fe57da Mon Sep 17 00:00:00 2001 From: Robert O'Rourke Date: Fri, 8 Apr 2022 14:38:48 +0100 Subject: [PATCH 4/8] Check if Sanitizer class exists before bailing Installs via packagist will have the required `enshrined/svg-sanitize` dependency in the main project's `vendor` directory. This will allow such installs to continue working, providing that the application loads the project level autoloader before plugins. Such a pattern is used in frameworks like Roots Bedrock and Altis. --- safe-svg.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/safe-svg.php b/safe-svg.php index 37069a9f..6fd90a58 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -19,7 +19,7 @@ // Try and include our autoloader. if ( is_readable( __DIR__ . '/vendor/autoload.php' ) ) { require __DIR__ . '/vendor/autoload.php'; -} else { +} elseif ( ! class_exists( 'enshrined\\svgSanitize\\Sanitizer' ) ) { add_action( 'admin_notices', function() { From 6ffdc849ab03fa946b1948c4855ece71f771a894 Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Fri, 15 Apr 2022 11:19:57 -0600 Subject: [PATCH 5/8] Version bump to 2.0.1 --- readme.txt | 2 +- safe-svg.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.txt b/readme.txt index 61c87bfb..6d991e47 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: 10up, enshrined Tags: svg, sanitize, upload, sanitise, security, svg upload, image, vector, file, graphic, media, mime Requires at least: 4.7 Tested up to: 5.9 -Stable tag: 2.0.0 +Stable tag: 2.0.1 Requires PHP: 7.0 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html diff --git a/safe-svg.php b/safe-svg.php index 962bc1fc..5c187d66 100644 --- a/safe-svg.php +++ b/safe-svg.php @@ -3,7 +3,7 @@ * Plugin Name: Safe SVG * Plugin URI: https://wordpress.org/plugins/safe-svg/ * Description: Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website - * Version: 2.0.0 + * Version: 2.0.1 * Requires at least: 4.7 * Requires PHP: 7.0 * Author: 10up From 4b7ea61e4ecc3dfa0d25ab17be8f9939fe7c0cac Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Fri, 15 Apr 2022 11:30:09 -0600 Subject: [PATCH 6/8] Add 2.0.1 items to changelogs --- CHANGELOG.md | 12 ++++++++++++ readme.txt | 5 +++++ 2 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d8eb491b..604677a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file, per [the Ke ## [Unreleased] - TBD +## [2.0.1] - 2022-04-18 + +### Changed + +- Documentation updates (props [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#50](https://github.com/10up/safe-svg/pull/50)). + +### Fixed + +- Ensure our height and width attributes are set before using them (props [@dkotter](https://github.com/dkotter), [@r8r](https://github.com/r8r), [@jerturowetz](https://github.com/jerturowetz), [@cadic](https://github.com/cadic) via [#51](https://github.com/10up/safe-svg/pull/51)) +- Support for installing via packagist.org (props [@roborourke](https://github.com/roborourke), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#52](https://github.com/10up/safe-svg/pull/52)). + ## [2.0.0] - 2022-04-06 ### Added - New filter, `safe_svg_use_width_height_attributes`, that can be used to change the order of attributes we use to determine the SVG dimensions (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#43](https://github.com/10up/safe-svg/pull/43)). @@ -198,6 +209,7 @@ All notable changes to this project will be documented in this file, per [the Ke - Initial Release. [Unreleased]: https://github.com/10up/safe-svg/compare/trunk...develop +[2.0.1]: https://github.com/10up/safe-svg/compare/2.0.0...2.0.1 [2.0.0]: https://github.com/10up/safe-svg/compare/1.9.10...2.0.0 [1.9.10]: https://github.com/10up/safe-svg/compare/1.9.9...1.9.10 [1.9.9]: https://github.com/10up/safe-svg/compare/1.9.8...1.9.9 diff --git a/readme.txt b/readme.txt index 6d991e47..9667dd6c 100644 --- a/readme.txt +++ b/readme.txt @@ -66,6 +66,11 @@ They take one argument that must be returned. See below for examples: == Changelog == += 2.0.1 - 2022-04-18 = +* **Changed:** Documentation updates (props [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc)). +* **Fixed:** Ensure our height and width attributes are set before using them (props [@dkotter](https://github.com/dkotter), [@r8r](https://github.com/r8r), [@jerturowetz](https://github.com/jerturowetz), [@cadic](https://github.com/cadic)). +* **Fixed:** Support for installing via packagist.org (props [@roborourke](https://github.com/roborourke), [@peterwilsoncc](https://github.com/peterwilsoncc)). + = 2.0.0 - 2022-04-06 = * **Added:** New filter, `safe_svg_use_width_height_attributes`, that can be used to change the order of attributes we use to determine the SVG dimensions (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)). * **Changed:** Documentation updates (props [@j-hoffmann](https://github.com/j-hoffmann), [@jeffpaul](https://github.com/jeffpaul), [@Zodiac1978](https://github.com/Zodiac1978)). From 78238d8ca610dee016aa0974f408d9c3b3bb523a Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Fri, 15 Apr 2022 11:33:02 -0600 Subject: [PATCH 7/8] Update CREDITS.md --- CREDITS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CREDITS.md b/CREDITS.md index f2e08f79..382519c9 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc. -[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann), [@j-hoffmann](https://github.com/j-hoffmann), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Torsten Landsiedel (@Zodiac1978)](https://github.com/Zodiac1978), [Axel DUCORON (@aksld)](https://github.com/aksld). +[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann), [@j-hoffmann](https://github.com/j-hoffmann), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Torsten Landsiedel (@Zodiac1978)](https://github.com/Zodiac1978), [Axel DUCORON (@aksld)](https://github.com/aksld), [Mario Rader (@r8r)](https://github.com/r8r), [Jeremy Turowetz (@jerturowetz)](https://github.com/jerturowetz), [Robert O'Rourke (@roborourke)](https://github.com/roborourke). ## Libraries From 18f75c01c01f29ac310700a423982201d081abce Mon Sep 17 00:00:00 2001 From: Darin Kotter Date: Tue, 19 Apr 2022 09:32:01 -0600 Subject: [PATCH 8/8] Update release date --- CHANGELOG.md | 2 +- readme.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 604677a1..5a4ab5cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file, per [the Ke ## [Unreleased] - TBD -## [2.0.1] - 2022-04-18 +## [2.0.1] - 2022-04-19 ### Changed diff --git a/readme.txt b/readme.txt index 9667dd6c..a2b28ae6 100644 --- a/readme.txt +++ b/readme.txt @@ -66,7 +66,7 @@ They take one argument that must be returned. See below for examples: == Changelog == -= 2.0.1 - 2022-04-18 = += 2.0.1 - 2022-04-19 = * **Changed:** Documentation updates (props [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc)). * **Fixed:** Ensure our height and width attributes are set before using them (props [@dkotter](https://github.com/dkotter), [@r8r](https://github.com/r8r), [@jerturowetz](https://github.com/jerturowetz), [@cadic](https://github.com/cadic)). * **Fixed:** Support for installing via packagist.org (props [@roborourke](https://github.com/roborourke), [@peterwilsoncc](https://github.com/peterwilsoncc)).