From 69ea8229caa89b1f97b8d7c97924bed881a25dd6 Mon Sep 17 00:00:00 2001
From: Andrey Antukh <niwi@niwi.nz>
Date: Thu, 27 May 2021 12:59:42 +0200
Subject: [PATCH] :spakles: Minor improvements on svg uploading on libraries.

Mainly reject svgs that have doctype declaration for security reasons.
---
 backend/src/app/media.clj           | 2 +-
 backend/src/app/rpc/queries/svg.clj | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/src/app/media.clj b/backend/src/app/media.clj
index 10de5266e3..b2aeefa184 100644
--- a/backend/src/app/media.clj
+++ b/backend/src/app/media.clj
@@ -183,7 +183,7 @@
   (us/assert ::input input)
   (let [{:keys [path mtype]} input]
     (if (= mtype "image/svg+xml")
-      (let [info (some-> path slurp svg/pre-process svg/parse get-basic-info-from-svg)]
+      (let [info (some-> path slurp svg/parse get-basic-info-from-svg)]
         (when-not info
           (ex/raise :type :validation
                     :code :invalid-svg-file
diff --git a/backend/src/app/rpc/queries/svg.clj b/backend/src/app/rpc/queries/svg.clj
index f8e978534f..63c0b8aeb2 100644
--- a/backend/src/app/rpc/queries/svg.clj
+++ b/backend/src/app/rpc/queries/svg.clj
@@ -54,6 +54,6 @@
   [data]
   (cond-> data
     (str/includes? data "<!DOCTYPE")
-    (str/replace #"<\!DOCTYPE[^>]+>" "")))
+    (str/replace #"<\!DOCTYPE[^>]*>" "")))
 
 (def pre-process strip-doctype)