SECURITY: Fix animate blacklist

The blacklist should prevent animating any element's xlink:href to a
javascript url.

Bug: T86711
Change-Id: Ia9e9192165fdfe1701f22605eee0b0e5c9137d5a

includes/upload/UploadBase.php

@@ -1424,11 +1424,10 @@ abstract class UploadBase {
 				}
 			}
 
-			# Change href with animate from (http://html5sec.org/#137). This doesn't seem
-			# possible without embedding the svg, but filter here in case.
-			if ( $stripped == 'from'
+			# Change href with animate from (http://html5sec.org/#137).
+			if ( $stripped === 'attributename'
 				&& $strippedElement === 'animate'
-				&& !preg_match( '!^https?://!im', $value )
+				&& $this->stripXmlNamespace( $value ) == 'href'
 			) {
 				wfDebug( __METHOD__ . ": Found animate that might be changing href using from "
 					. "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" );

tests/phpunit/includes/upload/UploadBaseTest.php

@@ -279,6 +279,18 @@ class UploadBaseTest extends MediaWikiTestCase {
 				true,
 				'SVG with animate from (http://html5sec.org/#137)'
 			),
+			array(
+				'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <a><text y="1em">Click me</text> <animate attributeName="xlink:href" values="javascript:alert(\'Bang!\')" begin="0s" dur="0.1s" fill="freeze" /> </a></svg>',
+				true,
+				true,
+				'SVG with animate xlink:href (http://html5sec.org/#137)'
+			),
+			array(
+				'<svg xmlns="http://www.w3.org/2000/svg" xmlns:y="http://www.w3.org/1999/xlink"> <a y:href="#"> <text y="1em">Click me</text> <animate attributeName="y:href" values="javascript:alert(\'Bang!\')" begin="0s" dur="0.1s" fill="freeze" /> </a> </svg>',
+				true,
+				true,
+				'SVG with animate y:href (http://html5sec.org/#137)'
+			),
 
 			// Other hostile SVG's
 			array(