bc31c5bd57
Only allow ENTITY declarations inside the doctype internal subset. Do not allow parameter entities, recursive entity references are entity values longer than 255 bytes, or external entity references. Filter external doctype subset to only allow the standard svg doctypes. Recursive entities that are simple aliases are allowed because people appear to use them on commons. Declaring xmlns:xlink to have a #FIXED value to the xlink namespace is allowed because GraphViz apparently does that so its somewhat common. This prevents someone bypassing filter by using default attribute values in internal dtd subset. No browser loads the external dtd subset that I could find, but whitelist just to be safe anyways. Issue reported by Cassiogomes11. Bug: T151735 Change-Id: I7cb4690f759ad97e70e06e560978b6207d84c446 |
||
|---|---|---|
| .. | ||
| UploadBaseTest.php | ||
| UploadFromUrlTest.php | ||
| UploadStashTest.php | ||