Page MenuHomePhabricator
Create Task
Maniphest T279239

XML-Parser fails on <!ENTITY with multiple commands
Closed, DeclinedPublicBUG REPORT
Actions

Description

Steps to Reproduce, add

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd" [
  <!ENTITY Smile "
    <rect x='.5' y='.5' width='29' height='39' fill='black' stroke='orange' stroke-width='2'/>
    <g transform='translate(0, 5)'>
      <circle cx='15' cy='15' r='10' fill='yellow'/>
      <circle cx='12' cy='12' r='1.5' fill='black'/>
      <circle cx='17' cy='12' r='1.5' fill='black'/>
      <path d='M 10 19 L 15 23 20 19' stroke='black' stroke-width='2'/>
    </g>
  ">
  <!ENTITY Viewport1 "<rect x='.5' y='.5' width='49' height='29' fill='none' stroke='blue'/>">
  <!ENTITY Viewport2 "<rect x='.5' y='.5' width='29' height='59' fill='none' stroke='blue'/>">
]>

to https://commons.wikimedia.org/wiki/File:W3C_SVG_11_TestSuite_coords-viewattr-01-b.svg

Actual Results:

API Error verification-error:
The XML in the uploaded file could not be parsed.

Expected Results:

It is a valid file from the official W3C-Test-suite: https://www.w3.org/Graphics/SVG/Test/20110816/ and should be uploadable

Related Objects

Event Timeline

JoKalliauer created this task.Apr 3 2021, 7:51 PM
JoKalliauer mentioned this in T279240: XML-Parser fails on <!ATTLIST bar id ID #REQUIRED>.Apr 3 2021, 7:55 PM
JoKalliauer mentioned this in T278044: This SVG file contains an illegal namespace "http://www.w3.org/2000/02/svg/testsuite/description/"..Apr 12 2021, 6:07 PM
JoKalliauer triaged this task as Low priority.May 8 2021, 8:19 PM
JoKalliauer added a project: Wikimedia-SVG-rendering.
Glrx subscribed.Aug 18 2022, 7:26 PM

I suspect that T151735 introduced an ENTITY filter that rejects this text.

If PHP has a better XML parser, then the ENTITY filter may not be needed. I believe modern parsers expand all entities before giving the document to the application.

adrelanos subscribed.Oct 1 2023, 9:29 PM
TheDJ subscribed.EditedOct 24 2023, 11:12 AM

This is intentional. XML entity expansion is dangerous and almost impossible to validate/escape.

This issue is will not ever be fixed as it pertains to a theoretically correct usage of SVG, but not one that should be encouraged among users, nor allowed on servers with uploads by arbitrary users. Its also more of an XML test than an SVG test in my opinion.

TheDJ closed this task as Declined.Oct 24 2023, 11:13 AM
Aklapper renamed this task from XML-Parser fails on <!ENTITY with multiple comands to XML-Parser fails on <!ENTITY with multiple commands.Oct 24 2023, 11:45 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL