🛂(backend) remove svg from unsafe

We added content-security-policy on nginx.
It should be safe to allow svg files now.
We remove the svg file from the unsafe
attachments list. We adapt the tests accordingly.

src/backend/impress/settings.py

@@ -210,7 +210,6 @@ class Base(Configuration):
         "application/x-ms-regedit",
         "application/x-msdownload",
         "application/xml",
-        "image/svg+xml",
     ]
 
     # Document versions

src/frontend/apps/e2e/__tests__/app-impress/assets/test.html

@@ -0,0 +1,22 @@
+<html>
+  <head>
+    <title>Test unsafe file</title>
+  </head>
+  <body>
+    <h1>Hello svg</h1>
+    <img src="test.jpg" alt="test" />
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width="100"
+      height="100"
+      viewBox="0 0 100 100"
+    >
+      <circle cx="50" cy="30" r="20" fill="#3498db" />
+      <polygon
+        points="50,10 55,20 65,20 58,30 60,40 50,35 40,40 42,30 35,20 45,20"
+        fill="#f1c40f"
+      />
+      <text x="50" y="70" text-anchor="middle" fill="white">Hello svg</text>
+    </svg>
+  </body>
+</html>

src/frontend/apps/e2e/__tests__/app-impress/assets/test.svg

@@ -1,13 +0,0 @@
-<svg
-  xmlns="http://www.w3.org/2000/svg"
-  width="100"
-  height="100"
-  viewBox="0 0 100 100"
->
-  <circle cx="50" cy="30" r="20" fill="#3498db" />
-  <polygon
-    points="50,10 55,20 65,20 58,30 60,40 50,35 40,40 42,30 35,20 45,20"
-    fill="#f1c40f"
-  />
-  <text x="50" y="70" text-anchor="middle" fill="white">Hello svg</text>
-</svg>

src/frontend/apps/e2e/__tests__/app-impress/doc-editor.spec.ts

@@ -452,7 +452,7 @@ test.describe('Doc Editor', () => {
 
     const fileChooserPromise = page.waitForEvent('filechooser');
     const downloadPromise = page.waitForEvent('download', (download) => {
-      return download.suggestedFilename().includes(`svg`);
+      return download.suggestedFilename().includes(`html`);
     });
 
     await verifyDocName(page, randomDoc);
@@ -462,14 +462,14 @@ test.describe('Doc Editor', () => {
 
     await page.keyboard.press('Enter');
     await page.locator('.bn-block-outer').last().fill('/');
-    await page.getByText('Resizable image with caption').click();
+    await page.getByText('Embedded file').click();
-    await page.getByText('Upload image').click();
+    await page.getByText('Upload file').click();
 
     const fileChooser = await fileChooserPromise;
-    await fileChooser.setFiles(path.join(__dirname, 'assets/test.svg'));
+    await fileChooser.setFiles(path.join(__dirname, 'assets/test.html'));
 
-    await page.locator('.bn-block-content[data-name="test.svg"]').click();
+    await page.locator('.bn-block-content[data-name="test.html"]').click();
-    await page.getByRole('button', { name: 'Download image' }).click();
+    await page.getByRole('button', { name: 'Download file' }).click();
 
     await expect(
       page.getByText('This file is flagged as unsafe.'),
@@ -478,7 +478,7 @@ test.describe('Doc Editor', () => {
     await page.getByRole('button', { name: 'Download' }).click();
 
     const download = await downloadPromise;
-    expect(download.suggestedFilename()).toContain(`-unsafe.svg`);
+    expect(download.suggestedFilename()).toContain(`-unsafe.html`);
 
     const svgBuffer = await cs.toBuffer(await download.createReadStream());
     expect(svgBuffer.toString()).toContain('Hello svg');