| Current File : /home/gulsvnnd/heaventouchspa.com/wp-content/plugins/svg-support/functions/attachment.php |
<?php
/**
* SVG Support in attachment modal
*
* This file contains functions to manage and manipulate SVG attachments in WordPress.
* It includes functionality for displaying SVGs in the attachment modal, generating metadata,
* sanitizing SVG files, and handling specific SVG-related scenarios.
*/
if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly
}
/**
* Add SVG dimensions and other details to the response for displaying in the attachment modal.
*
* @param array $response The prepared attachment response data.
* @param object $attachment The attachment object.
* @param array $meta The attachment meta data.
*
* @return array Modified response with SVG dimensions and URL.
*/
function bodhi_svgs_response_for_svg( $response, $attachment, $meta ) {
if ( $response['mime'] == 'image/svg+xml' && empty( $response['sizes'] ) ) {
$svg_path = get_attached_file( $attachment->ID );
if ( ! file_exists( $svg_path ) ) {
// If SVG is external, use the URL instead of the path
$svg_path = $response['url'];
}
$dimensions = bodhi_svgs_get_dimensions( $svg_path );
$response['sizes'] = array(
'full' => array(
'url' => $response['url'],
'width' => $dimensions->width,
'height' => $dimensions->height,
'orientation' => $dimensions->width > $dimensions->height ? 'landscape' : 'portrait'
)
);
}
return $response;
}
add_filter( 'wp_prepare_attachment_for_js', 'bodhi_svgs_response_for_svg', 10, 3 );
/**
* Get the dimensions of an SVG file.
*
* This function checks if the SVG is a local file or a remote URL, retrieves its content, and
* parses the width and height from the SVG attributes.
*
* @param string $svg The file path or URL of the SVG.
*
* @return object An object containing the width and height of the SVG.
*/
function bodhi_svgs_get_dimensions( $svg ) {
$svg_content = '';
// Check if $svg is a URL or a local file path
if ( filter_var( $svg, FILTER_VALIDATE_URL ) ) {
// For remote SVGs, use wp_remote_get()
$response = wp_remote_get( $svg );
if ( is_wp_error( $response ) ) {
return (object) array( 'width' => 0, 'height' => 0 );
}
$svg_content = wp_remote_retrieve_body( $response );
} else {
// For local files, use WP_Filesystem to read the file content
if ( ! function_exists( 'WP_Filesystem' ) ) {
require_once ABSPATH . 'wp-admin/includes/file.php';
}
global $wp_filesystem;
WP_Filesystem();
$svg_content = $wp_filesystem->get_contents( $svg );
}
if ( empty( $svg_content ) ) {
return (object) array( 'width' => 0, 'height' => 0 );
}
$svg = simplexml_load_string( $svg_content );
if ( $svg === FALSE ) {
$width = '0';
$height = '0';
} else {
$attributes = $svg->attributes();
$width = (string) $attributes->width;
$height = (string) $attributes->height;
}
return (object) array( 'width' => $width, 'height' => $height );
}
/**
* Generate attachment metadata for SVGs. (Thanks @surml)
*
* This function generates metadata for SVG attachments, including dimensions and file path.
* It is used to fix warnings related to missing width and height metadata for SVGs.
*
* @param array $metadata The attachment metadata.
* @param int $attachment_id The attachment ID.
*
* @return array Modified metadata including SVG dimensions.
*/
function bodhi_svgs_generate_svg_attachment_metadata( $metadata, $attachment_id ) {
$mime = get_post_mime_type( $attachment_id );
if ( $mime == 'image/svg+xml' ) {
$svg_path = get_attached_file( $attachment_id );
$upload_dir = wp_upload_dir();
// Get the path relative to /uploads/
$relative_path = $svg_path ? str_replace($upload_dir['basedir'], '', $svg_path) : '';
$filename = basename( $svg_path );
$dimensions = bodhi_svgs_get_dimensions( $svg_path );
$metadata = array(
'width' => intval($dimensions->width),
'height' => intval($dimensions->height),
'file' => $relative_path
);
$height = intval($dimensions->height);
$width = intval($dimensions->width);
// Generate sizes array for future implementations, if needed
$sizes = array();
foreach ( get_intermediate_image_sizes() as $s ) {
$sizes[$s] = array( 'width' => '', 'height' => '', 'crop' => false );
if ( $width !== 0 && $height !== 0 ) {
if ( isset( $_wp_additional_image_sizes[$s]['width'] ) ) {
$width_current_size = intval( $_wp_additional_image_sizes[$s]['width'] );
} else {
$width_current_size = get_option( "{$s}_size_w" );
}
if ( $width > $height ) {
$ratio = round($width / $height, 2);
$new_height = round($width_current_size / $ratio);
} else {
$ratio = round($height / $width, 2);
$new_height = round($width_current_size * $ratio);
}
$sizes[$s]['width'] = $width_current_size;
$sizes[$s]['height'] = $new_height;
$sizes[$s]['crop'] = false;
} else {
if ( isset( $_wp_additional_image_sizes[$s]['width'] ) ) {
$sizes[$s]['width'] = intval( $_wp_additional_image_sizes[$s]['width'] );
} else {
$sizes[$s]['width'] = get_option( "{$s}_size_w" );
}
if ( isset( $_wp_additional_image_sizes[$s]['height'] ) ) {
$sizes[$s]['height'] = intval( $_wp_additional_image_sizes[$s]['height'] );
} else {
$sizes[$s]['height'] = get_option( "{$s}_size_h" );
}
if ( isset( $_wp_additional_image_sizes[$s]['crop'] ) ) {
$sizes[$s]['crop'] = intval( $_wp_additional_image_sizes[$s]['crop'] );
} else {
$sizes[$s]['crop'] = get_option( "{$s}_crop" );
}
}
$sizes[$s]['file'] = $filename;
$sizes[$s]['mime-type'] = 'image/svg+xml';
}
$metadata['sizes'] = $sizes;
}
return $metadata;
}
add_filter( 'wp_generate_attachment_metadata', 'bodhi_svgs_generate_svg_attachment_metadata', 10, 3 );
/**
* Sanitize SVG files.
*
* This function sanitizes SVG files by removing potentially harmful elements and attributes.
* It also optionally minifies the SVG content and re-encodes it if it was originally gzipped.
*
* @param string $file The file path of the SVG to sanitize.
*
* @return bool True if the file was successfully sanitized, false otherwise.
*/
function bodhi_svgs_sanitize( $file ){
global $sanitizer;
$sanitizer->setAllowedTags( new bodhi_svg_tags() );
$sanitizer->setAllowedAttrs( new bodhi_svg_attributes() );
$dirty = '';
// Using WP_Filesystem to read the SVG file content
if ( ! function_exists( 'WP_Filesystem' ) ) {
require_once ABSPATH . 'wp-admin/includes/file.php';
}
global $wp_filesystem;
WP_Filesystem();
$dirty = $wp_filesystem->get_contents( $file );
// Try to decode if gzipped is enabled
if ( $is_zipped = bodhi_svgs_is_gzipped( $dirty ) ) {
$dirty = gzdecode( $dirty );
// Return on failure, since we can't read file
if ( $dirty === false ) {
return false;
}
}
// Remove remote references since they are dangerous and lead to injection
$sanitizer->removeRemoteReferences(true);
// Enable minify in library if its enabled in admin panel
bodhi_svgs_minify();
$clean = $sanitizer->sanitize( $dirty );
if ( $clean === false ) {
return false;
}
// If the file was gzipped, we need to re-zip it
if ( $is_zipped ) {
$clean = gzencode( $clean );
}
// Use WP_Filesystem to write the sanitized content back
if ( ! $wp_filesystem->put_contents( $file, $clean, FS_CHMOD_FILE ) ) {
return false;
}
return true;
}
/**
* Enable minification for SVG files.
*
* This function enables minification for SVG files if the option is set in the plugin settings.
*/
function bodhi_svgs_minify() {
global $bodhi_svgs_options;
global $sanitizer;
if ( !empty($bodhi_svgs_options['minify_svg']) && $bodhi_svgs_options['minify_svg'] === 'on' ) {
$sanitizer->minify(true);
}
}
/**
* Check if a string is gzipped.
*
* @param string $contents The contents to check.
*
* @return bool True if the contents are gzipped, false otherwise.
*/
function bodhi_svgs_is_gzipped( $contents ) {
if ($contents === null) {
return false;
}
if ( function_exists( 'mb_strpos' ) ) {
return 0 === mb_strpos( $contents, "\x1f" . "\x8b" . "\x08" );
} else {
return 0 === strpos( $contents, "\x1f" . "\x8b" . "\x08" );
}
}
/**
* Pre-filter for handling SVG uploads.
*
* This function checks if the uploaded file is an SVG and applies sanitization if required.
*
* @param array $file The uploaded file data.
*
* @return array The modified file data.
*/
function bodhi_svgs_sanitize_svg($file) {
global $bodhi_svgs_options;
$file_path = $file['tmp_name'];
$file_name = $file['name'];
// First quick check - if it's clearly not an SVG, return early
if (!empty($file_name) && strtolower(pathinfo($file_name, PATHINFO_EXTENSION)) !== 'svg') {
return $file;
}
// Multiple validation checks for SVG
if ( $file_path && file_exists( $file_path ) ) {
// 1. Check MIME type using fileinfo
$finfo = finfo_open( FILEINFO_MIME_TYPE );
$real_mime = finfo_file( $finfo, $file_path );
finfo_close( $finfo );
// 2. Read first bytes of the file to check for SVG header
$file_content = file_get_contents( $file_path );
// Check for XML declaration and SVG tag
$pattern1 = '/^[\s\n]*(?:<\?xml[^>]*>[\s\n]*)?(?:<!--.*?-->[\s\n]*)*(?:<!DOCTYPE[^>]*>[\s\n]*)?(?:<!--.*?-->[\s\n]*)*<svg[^>]*>/is';
$pattern2 = '/^[\s\n]*(?:<!--.*?-->[\s\n]*)*<svg[^>]*>/is';
$match1 = preg_match( $pattern1, $file_content );
$match2 = preg_match( $pattern2, $file_content );
$has_closing = strpos( $file_content, '</svg>' ) !== false;
$is_svg_content = ( $match1 || $match2 ) && $has_closing;
// If content validation fails OR (mime type isn't SVG AND isn't a plain text file containing SVG)
if ( !$is_svg_content ||
( $real_mime !== 'image/svg+xml' &&
$real_mime !== 'image/svg' &&
!( $real_mime === 'text/plain' && $is_svg_content ) ) ) {
$file['error'] = __( 'File is not a valid SVG.', 'svg-support' );
return $file;
}
}
// Now we know it's an SVG, continue with security checks
if (!defined('REST_REQUEST') && !wp_verify_nonce(
sanitize_text_field(wp_unslash($_REQUEST['_wpnonce'] ?? '')),
'media-form'
)) {
$file['error'] = __('Security check failed.', 'svg-support');
return $file;
}
// Get the roles that do not require SVG sanitization
$sanitize_on_upload_roles_array = (array) $bodhi_svgs_options['sanitize_on_upload_roles'];
$user = wp_get_current_user();
$current_user_roles = (array) $user->roles;
// Check if the current user's roles intersect with the roles that do not need sanitization
$no_sanitize_needed = array_intersect($sanitize_on_upload_roles_array, $current_user_roles);
// Check if the user has the capability to upload SVGs
$can_upload_files = current_user_can('upload_files');
// Force sanitize unless user is in roles that bypass sanitization
if ($can_upload_files && empty($no_sanitize_needed)) {
global $sanitizer;
// Read file contents
$file_content = file_get_contents($file_path);
if ($file_content === false) {
$file['error'] = __("Unable to read SVG file for sanitization.", 'svg-support');
return $file;
}
// Sanitize the content
$clean_svg = $sanitizer->sanitize($file_content);
if ($clean_svg === false) {
$file['error'] = __("Sorry, this file couldn't be sanitized for security reasons and wasn't uploaded.", 'svg-support');
return $file;
}
// Write sanitized content back
$write_result = file_put_contents($file_path, $clean_svg);
if ($write_result === false) {
$file['error'] = __("Unable to save sanitized SVG file.", 'svg-support');
return $file;
}
}
return $file;
}
// Add filter to handle upload pre-filtering for sanitization
add_filter('wp_handle_upload_prefilter', 'bodhi_svgs_sanitize_svg');
/**
* Fix for image widget PHP warnings related to metadata.
*
* @param array $data The attachment metadata.
*
* @return array|false The modified metadata or false if invalid.
*/
function bodhi_svgs_get_attachment_metadata( $data ) {
$res = $data;
if ( !isset( $data['width'] ) || !isset( $data['height'] ) ) {
$res = false;
}
return $res;
}
// add_filter( 'wp_get_attachment_metadata' , 'bodhi_svgs_get_attachment_metadata' );
// Commented this out 20200307 because it was stripping metadata from other attachments as well. Need to make this target only SVG attachments.
/**
* Remove srcset attribute for SVG images.
*
* @param array $sources The sources array for the image.
*
* @return array The modified sources array.
*/
function bodhi_svgs_disable_srcset( $sources ) {
$first_element = reset($sources);
if ( isset($first_element) && !empty($first_element['url']) ) {
$ext = pathinfo(reset($sources)['url'], PATHINFO_EXTENSION);
if ( $ext == 'svg' ) {
// return empty array
$sources = array();
return $sources;
} else {
return $sources;
}
} else {
return $sources;
}
}
add_filter( 'wp_calculate_image_srcset', 'bodhi_svgs_disable_srcset' );
/**
* Fix for division by zero error for SVGs. (Proposed by @starsis)
*
* This function ensures that SVGs do not cause division by zero errors by providing default
* dimensions if they are missing.
*
* @param array $image The image data.
* @param int $attachment_id The attachment ID.
* @param string $size The requested image size.
* @param bool $icon Whether the image is an icon.
*
* @return array The modified image data.
*/
function bodhi_svgs_dimension_fallback( $image, $attachment_id, $size, $icon ) {
// only manipulate for svgs
if ( get_post_mime_type($attachment_id) == 'image/svg+xml' ) {
if ( isset($image[1]) && $image[1] === 0 ) {
$image[1] = 1;
}
if ( isset($image[2]) && $image[2] === 0 ) {
$image[2] = 1;
}
}
return $image;
}
add_filter( 'wp_get_attachment_image_src', 'bodhi_svgs_dimension_fallback', 10, 4 );
/**
* Pre-process SVG files uploaded via REST API
*
* @param array $file File data before processing
* @param array $request The full request payload
* @return array|WP_Error Modified file data or error
*/
function bodhi_svgs_rest_pre_upload($file, $request) {
if ($file['type'] === 'image/svg+xml') {
// Randomize filename for REST API uploads
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
$random_name = wp_generate_password(12, false) . '.' . $ext;
$file['name'] = sanitize_file_name($random_name);
// Force sanitization
if (!bodhi_svgs_sanitize($file['tmp_name'])) {
return new WP_Error(
'svg_sanitization_failed',
__('SVG sanitization failed for security reasons.', 'svg-support'),
array('status' => 400)
);
}
}
return $file;
}
add_filter('rest_pre_upload_file', 'bodhi_svgs_rest_pre_upload', 10, 2);
function bodhi_svgs_handle_upload_check($fileinfo) {
if ($fileinfo['type'] === 'image/svg+xml') {
global $bodhi_last_upload_info;
$bodhi_last_upload_info = $fileinfo;
}
return $fileinfo;
}
add_filter('wp_handle_upload', 'bodhi_svgs_handle_upload_check');
function bodhi_svgs_rest_insert_attachment($prepared_attachment, $request) {
if ($request->get_header('content-type') !== 'image/svg+xml') {
return $prepared_attachment;
}
global $bodhi_svgs_options;
$user = wp_get_current_user();
$current_user_roles = (array) $user->roles;
$sanitize_on_upload_roles_array = (array) $bodhi_svgs_options['sanitize_on_upload_roles'];
$should_sanitize = empty(array_intersect($sanitize_on_upload_roles_array, $current_user_roles));
if ($should_sanitize) {
$file_path = get_attached_file($prepared_attachment->ID);
if (!$file_path) {
global $bodhi_last_upload_info;
if (isset($bodhi_last_upload_info['file'])) {
$file_path = $bodhi_last_upload_info['file'];
}
}
if ($file_path && file_exists($file_path)) {
global $sanitizer;
$file_content = file_get_contents($file_path);
if ($file_content !== false) {
$clean_svg = $sanitizer->sanitize($file_content);
if ($clean_svg !== false) {
file_put_contents($file_path, $clean_svg);
}
}
}
}
return $prepared_attachment;
}
add_filter('rest_insert_attachment', 'bodhi_svgs_rest_insert_attachment', 10, 2);