fix(preview): harden SVG handling and normalize mime type

2025-11-29 23:11:50 -05:00
parent a50fa30db2
commit f2ce43f18f
6 changed files with 73 additions and 27 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog

+## Changes 11/29/2025 (v2.2.3)
+
+fix(preview): harden SVG handling and normalize mime type
+
+- Stop treating SVGs as inline-previewable images in file list and preview modal
+- Show a clear “SVG preview disabled for security reasons” message instead
+- Keep SVGs downloadable via /api/file/download.php with proper image/svg+xml MIME
+- Add i18n key for svg_preview_disabled
+
+---
+
 ## Changes 11/29/2025 (v2.2.2)

 release(v2.2.2): feat(folders): show inline folder stats & dates
--- a/public/js/domUtils.js
+++ b/public/js/domUtils.js
@@ -179,9 +179,22 @@ export function buildFileTableRow(file, folderPath) {
  const safeUploader = escapeHTML(file.uploader || "Unknown");

  let previewButton = "";
-  if (/\.(jpg|jpeg|png|gif|bmp|webp|svg|ico|tif|tiff|eps|heic|pdf|mp4|webm|mov|mp3|wav|m4a|ogg|flac|aac|wma|opus|mkv|ogv)$/i.test(file.name)) {
+
+  const isSvg = /\.svg$/i.test(file.name);
+
+  // IMPORTANT: do NOT treat SVG as previewable
+  if (
+    !isSvg &&
+    /\.(jpg|jpeg|png|gif|bmp|webp|ico|tif|tiff|eps|heic|pdf|mp4|webm|mov|mp3|wav|m4a|ogg|flac|aac|wma|opus|mkv|ogv)$/i
+      .test(file.name)
+  ) {
    let previewIcon = "";
-    if (/\.(jpg|jpeg|png|gif|bmp|webp|svg|ico|tif|tiff|eps|heic)$/i.test(file.name)) {
+
+    // images (SVG explicitly excluded)
+    if (
+      /\.(jpg|jpeg|png|gif|bmp|webp|ico|tif|tiff|eps|heic)$/i
+        .test(file.name)
+    ) {
      previewIcon = `<i class="material-icons">image</i>`;
    } else if (/\.(mp4|mkv|webm|mov|ogv)$/i.test(file.name)) {
      previewIcon = `<i class="material-icons">videocam</i>`;
@@ -190,14 +203,16 @@ export function buildFileTableRow(file, folderPath) {
    } else if (/\.(mp3|wav|m4a|ogg|flac|aac|wma|opus)$/i.test(file.name)) {
      previewIcon = `<i class="material-icons">audiotrack</i>`;
    }
-    previewButton = `<button 
-                        type="button"
-                        class="btn btn-sm btn-info preview-btn" 
-                        data-preview-url="${folderPath + encodeURIComponent(file.name)}?t=${Date.now()}" 
-                        data-preview-name="${safeFileName}" 
-                        title="${t('preview')}">
-                       ${previewIcon}
-                     </button>`;
+
+    previewButton = `
+      <button 
+        type="button"
+        class="btn btn-sm btn-info preview-btn" 
+        data-preview-url="${folderPath + encodeURIComponent(file.name)}?t=${Date.now()}" 
+        data-preview-name="${safeFileName}" 
+        title="${t('preview')}">
+        ${previewIcon}
+      </button>`;
  }

  return `
@@ -242,13 +257,13 @@ export function buildFileTableRow(file, folderPath) {
          <i class="material-icons">drive_file_rename_outline</i>
        </button>
        <!-- share -->
-       <button 
-         type="button"
-         class="btn btn-secondary btn-sm share-btn ms-1"
-         data-file="${safeFileName}"
-         title="${t('share')}">
-         <i class="material-icons">share</i>
-       </button>
+        <button 
+          type="button"
+          class="btn btn-secondary btn-sm share-btn ms-1"
+          data-file="${safeFileName}"
+          title="${t('share')}">
+          <i class="material-icons">share</i>
+        </button>
      </div>
    </td>
  </tr>
--- a/public/js/fileListView.js
+++ b/public/js/fileListView.js
@@ -1954,7 +1954,7 @@ export function renderGalleryView(folder, container) {

    // thumbnail
    let thumbnail;
-    if (/\.(jpe?g|png|gif|bmp|webp|svg|ico)$/i.test(file.name)) {
+    if (/\.(jpe?g|png|gif|bmp|webp|ico)$/i.test(file.name)) {
      const cacheKey = previewURL; // include folder & file
      if (window.imageCache && window.imageCache[cacheKey]) {
        thumbnail = `<img
--- a/public/js/filePreview.js
+++ b/public/js/filePreview.js
@@ -120,7 +120,12 @@ export function openShareModal(file, folder) {
 }

 /* -------------------------------- Media modal viewer -------------------------------- */
-const IMG_RE = /\.(jpg|jpeg|png|gif|bmp|webp|svg|ico)$/i;
+// Images that are safe to inline in <img> tags:
+const IMG_RE = /\.(jpg|jpeg|png|gif|bmp|webp|ico)$/i;
+
+// SVG handled separately so we *don’t* inline it
+const SVG_RE = /\.svg$/i;
+
 const VID_RE = /\.(mp4|mkv|webm|mov|ogv)$/i;
 const AUD_RE = /\.(mp3|wav|m4a|ogg|flac|aac|wma|opus)$/i;
 const ARCH_RE = /\.(zip|rar|7z|gz|bz2|xz|tar)$/i;
@@ -422,11 +427,19 @@ export function previewFile(fileUrl, fileName) {
  const folder = window.currentFolder || 'root';
  const name   = fileName;
  const lower  = (name || '').toLowerCase();
+  const isSvg  = SVG_RE.test(lower);
  const isImage = IMG_RE.test(lower);
  const isVideo = VID_RE.test(lower);
  const isAudio = AUD_RE.test(lower);

  setTitle(overlay, name);
+  if (isSvg) {
+    container.textContent =
+      t("svg_preview_disabled") ||
+      "SVG preview is disabled for security. Use Download to view this file.";
+    overlay.style.display = "flex";
+    return;
+  }

  /* -------------------- IMAGES -------------------- */
  if (isImage) {
--- a/public/js/i18n.js
+++ b/public/js/i18n.js
@@ -342,7 +342,8 @@ const translations = {
    "owner": "Owner",
    "hide_header_zoom_controls": "Hide header zoom controls",
    "preview_not_available": "Preview is not available for this file type.",
-    "storage_pro_bundle_outdated": "Please upgrade to the latest FileRise Pro bundle to use the Storage explorer."
+    "storage_pro_bundle_outdated": "Please upgrade to the latest FileRise Pro bundle to use the Storage explorer.",
+    "svg_preview_disabled": "SVG preview is disabled for now for security reasons."
  },
  es: {
    "please_log_in_to_continue": "Por favor, inicie sesión para continuar.",
--- a/src/models/FileModel.php
+++ b/src/models/FileModel.php
@@ -503,13 +503,13 @@ class FileModel {
        if (!preg_match(REGEX_FILE_NAME, $file)) {
            return ["error" => "Invalid file name."];
        }
-
+    
        // Determine the real upload directory.
        $uploadDirReal = realpath(UPLOAD_DIR);
        if ($uploadDirReal === false) {
            return ["error" => "Server misconfiguration."];
        }
-
+    
        // Determine directory based on folder.
        if (strtolower($folder) === 'root' || trim($folder) === '') {
            $directory = $uploadDirReal;
@@ -524,11 +524,11 @@ class FileModel {
                return ["error" => "Invalid folder path."];
            }
        }
-
+    
        // Build the file path.
-        $filePath = $directory . DIRECTORY_SEPARATOR . $file;
+        $filePath     = $directory . DIRECTORY_SEPARATOR . $file;
        $realFilePath = realpath($filePath);
-
+    
        // Ensure the file exists and is within the allowed directory.
        if ($realFilePath === false || strpos($realFilePath, $uploadDirReal) !== 0) {
            return ["error" => "Access forbidden."];
@@ -536,13 +536,19 @@ class FileModel {
        if (!file_exists($realFilePath)) {
            return ["error" => "File not found."];
        }
-
+    
        // Get the MIME type with safe fallback.
        $mimeType = function_exists('mime_content_type') ? mime_content_type($realFilePath) : null;
        if (!$mimeType) {
            $mimeType = 'application/octet-stream';
        }
-
+    
+        // OPTIONAL: normalize SVG MIME
+        $ext = strtolower(pathinfo($realFilePath, PATHINFO_EXTENSION));
+        if ($ext === 'svg') {
+            $mimeType = 'image/svg+xml';
+        }
+    
        return [
            "filePath" => $realFilePath,
            "mimeType" => $mimeType