MDL-72316 filelib: Add ability for modules to directly load SVG images

This also implements the functionality for SCORM packages, which may have SVG images embedded within their content which require loading directly (and are only created by users with appropriate risk flag).
2025-04-21 08:22:07 +02:00 · 2021-10-20 20:43:11 +08:00 · 2021-10-20 20:43:11 +08:00 · 2a2ece647a
commit 2a2ece647a
parent 8885e22a0b
3 changed files with 15 additions and 2 deletions
--- a/lib/filelib.php
+++ b/lib/filelib.php
@ -2505,6 +2505,9 @@ function file_safe_save_content($content, $destination) {
 * @param array $options An array of options, currently accepts:
 *                       - (string) cacheability: public, or private.
 *                       - (string|null) immutable
+ *                       - (bool) dontforcesvgdownload: true if force download should be disabled on SVGs.
+ *                                Note: This overrides a security feature, so should only be applied to "trusted" content
+ *                                (eg module content that is created using an XSS risk flagged capability, such as SCORM).
 * @return null script execution stopped unless $dontdie is true
 */
 function send_file($path, $filename, $lifetime = null , $filter=0, $pathisstring=false, $forcedownload=false, $mimetype='',
@ -2535,8 +2538,9 @@ function send_file($path, $filename, $lifetime = null , $filter=0, $pathisstring
        $filename = rawurlencode($filename);
    }

-    // Make sure we force download of SVG files for security reasons (https://digi.ninja/blog/svg_xss.php).
-    if (file_is_svg_image_from_mimetype($mimetype)) {
+    // Make sure we force download of SVG files, unless the module explicitly allows them (eg within SCORM content).
+    // This is for security reasons (https://digi.ninja/blog/svg_xss.php).
+    if (file_is_svg_image_from_mimetype($mimetype) && empty($options['dontforcesvgdownload'])) {
        $forcedownload = true;
    }

--- a/lib/upgrade.txt
+++ b/lib/upgrade.txt
@ -110,6 +110,12 @@ completely removed from Moodle core too.
 classes extending it. When possible, the enable_plugin() method will store these changes into the config_log table, to let admins
 check when and who has enabled/disabled plugins.

+=== 3.11.4 ===
+* A new option dontforcesvgdownload has been added to the $options parameter of the send_file() function.
+  Note: This option overrides the forced download of directly accessed SVGs, so should only be used where the calling method is
+  rendering SVGs directly for content created using XSS risk flagged capabilities (such as creating a SCORM activity).
+  This is also not necessary where SVGs are already being safely loaded into <img> tags by Moodle (eg within forum posts).
+
 === 3.11.2 ===
 * For security reasons, filelib has been updated so all requests now use emulated redirects.
  For this reason, manually disabling emulateredirects will no longer have any effect (and will generate a debugging message).
--- a/mod/scorm/lib.php
+++ b/mod/scorm/lib.php
@ -1011,6 +1011,9 @@ function scorm_pluginfile($course, $cm, $context, $filearea, $args, $forcedownlo
        return false;
    }

+    // Allow SVG files to be loaded within SCORM content, instead of forcing download.
+    $options['dontforcesvgdownload'] = true;
+
    // Finally send the file.
    send_stored_file($file, $lifetime, 0, false, $options);
 }