🛂(backend) remove svg from unsafe

We added content-security-policy on nginx. It should be safe to allow svg files now. We remove the svg file from the unsafe attachments list. We adapt the tests accordingly.
2025-02-28 15:47:36 +01:00
parent 22a665e535
commit 7b1ddc0e05
4 changed files with 29 additions and 21 deletions
--- a/src/backend/impress/settings.py
+++ b/src/backend/impress/settings.py
@@ -210,7 +210,6 @@ class Base(Configuration):
        "application/x-ms-regedit",
        "application/x-msdownload",
        "application/xml",
-        "image/svg+xml",
    ]

    # Document versions
--- a/src/frontend/apps/e2e/tests/app-impress/assets/test.html
+++ b/src/frontend/apps/e2e/tests/app-impress/assets/test.html
@@ -0,0 +1,22 @@
+<html>
+  <head>
+    <title>Test unsafe file</title>
+  </head>
+  <body>
+    <h1>Hello svg</h1>
+    <img src="test.jpg" alt="test" />
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width="100"
+      height="100"
+      viewBox="0 0 100 100"
+    >
+      <circle cx="50" cy="30" r="20" fill="#3498db" />
+      <polygon
+        points="50,10 55,20 65,20 58,30 60,40 50,35 40,40 42,30 35,20 45,20"
+        fill="#f1c40f"
+      />
+      <text x="50" y="70" text-anchor="middle" fill="white">Hello svg</text>
+    </svg>
+  </body>
+</html>
--- a/src/frontend/apps/e2e/tests/app-impress/assets/test.svg
+++ b/src/frontend/apps/e2e/tests/app-impress/assets/test.svg
@@ -1,13 +0,0 @@
-<svg
-  xmlns="http://www.w3.org/2000/svg"
-  width="100"
-  height="100"
-  viewBox="0 0 100 100"
->
-  <circle cx="50" cy="30" r="20" fill="#3498db" />
-  <polygon
-    points="50,10 55,20 65,20 58,30 60,40 50,35 40,40 42,30 35,20 45,20"
-    fill="#f1c40f"
-  />
-  <text x="50" y="70" text-anchor="middle" fill="white">Hello svg</text>
-</svg>
--- a/src/frontend/apps/e2e/tests/app-impress/doc-editor.spec.ts
+++ b/src/frontend/apps/e2e/tests/app-impress/doc-editor.spec.ts
@@ -452,7 +452,7 @@ test.describe('Doc Editor', () => {

    const fileChooserPromise = page.waitForEvent('filechooser');
    const downloadPromise = page.waitForEvent('download', (download) => {
-      return download.suggestedFilename().includes(`svg`);
+      return download.suggestedFilename().includes(`html`);
    });

    await verifyDocName(page, randomDoc);
@@ -462,14 +462,14 @@ test.describe('Doc Editor', () => {

    await page.keyboard.press('Enter');
    await page.locator('.bn-block-outer').last().fill('/');
-    await page.getByText('Resizable image with caption').click();
-    await page.getByText('Upload image').click();
+    await page.getByText('Embedded file').click();
+    await page.getByText('Upload file').click();

    const fileChooser = await fileChooserPromise;
-    await fileChooser.setFiles(path.join(__dirname, 'assets/test.svg'));
+    await fileChooser.setFiles(path.join(__dirname, 'assets/test.html'));

-    await page.locator('.bn-block-content[data-name="test.svg"]').click();
-    await page.getByRole('button', { name: 'Download image' }).click();
+    await page.locator('.bn-block-content[data-name="test.html"]').click();
+    await page.getByRole('button', { name: 'Download file' }).click();

    await expect(
      page.getByText('This file is flagged as unsafe.'),
@@ -478,7 +478,7 @@ test.describe('Doc Editor', () => {
    await page.getByRole('button', { name: 'Download' }).click();

    const download = await downloadPromise;
-    expect(download.suggestedFilename()).toContain(`-unsafe.svg`);
+    expect(download.suggestedFilename()).toContain(`-unsafe.html`);

    const svgBuffer = await cs.toBuffer(await download.createReadStream());
    expect(svgBuffer.toString()).toContain('Hello svg');