Document - fix stored xss

https://huntr.dev/bounties/99c4ed09-b66f-474a-bd74-eeccf9339fde/

app/Libraries/HTMLUtils.php

@@ -4,6 +4,7 @@ namespace App\Libraries;
 
 use HTMLPurifier;
 use HTMLPurifier_Config;
+use enshrined\svgSanitize\Sanitizer;
 
 class HTMLUtils
 {
@@ -74,4 +75,15 @@ class HTMLUtils
 
         return env($key, env($field, $default));
     }
+
+    public static function sanitizeSVG($svg)
+    {
+        try {
+            $sanitizer = new Sanitizer();
+
+            return $sanitizer->sanitize($svg);
+        } catch(\Exception $e) {
+            return "";
+        }
+    }
 }

app/Ninja/Repositories/DocumentRepository.php

@@ -7,6 +7,7 @@ use DB;
 use Form;
 use Intervention\Image\ImageManager;
 use Utils;
+use App\Libraries\HTMLUtils;
 
 class DocumentRepository extends BaseRepository
 {
@@ -83,6 +84,14 @@ class DocumentRepository extends BaseRepository
             return 'File too large';
         }
 
+        if($documentType === 'svg') {
+            $stream = file_get_contents($filePath);
+            if(!($stream = HTMLUtils::sanitizeSVG($stream))) {
+                return 'Unsupported file type';
+            }
+            file_put_contents($filePath, $stream);
+        }
+
         // don't allow a document to be linked to both an invoice and an expense
         if (array_get($data, 'invoice_id') && array_get($data, 'expense_id')) {
             unset($data['expense_id']);

composer.json

@@ -44,6 +44,7 @@
         "digitickets/omnipay-realex": "~5.0",
         "doctrine/dbal": "2.6.x",
         "dompdf/dompdf": "0.6.2",
+        "enshrined/svg-sanitize": "^0.14.1",
         "ezyang/htmlpurifier": "~v4.7",
         "fotografde/omnipay-checkoutcom": "~2.0",
         "fruitcakestudio/omnipay-sisow": "~2.0",