From 7468b7888598447c8318d473f1bd5e0b10001362 Mon Sep 17 00:00:00 2001
From: Penar Musaraj <pmusaraj@gmail.com>
Date: Tue, 11 Apr 2023 14:15:41 -0400
Subject: [PATCH] SECURITY: strip `xlink:href` from uploaded SVGs (#21058)

This was inadvertently removed in 4c46c7e. In very specific scenarios,
this could be used execute arbitrary JavaScript.

Only affects instances where SVGs are allowed as uploads and CDN is not
configured.
---
 lib/upload_creator.rb           | 1 +
 spec/lib/upload_creator_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/upload_creator.rb b/lib/upload_creator.rb
index d83af7461c9..f37e6750309 100644
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@@ -500,6 +500,7 @@ class UploadCreator
         if use_el.attr("href")
           use_el.remove_attribute("href") unless use_el.attr("href").starts_with?("#")
         end
+        use_el.remove_attribute("xlink:href")
       end
     File.write(@file.path, doc.to_s)
     @file.rewind
diff --git a/spec/lib/upload_creator_spec.rb b/spec/lib/upload_creator_spec.rb
index 7965a5f6dbb..cdc20d28603 100644
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@@ -613,7 +613,7 @@ RSpec.describe UploadCreator do
           <g>
             <use id="valid-use" x="123" href="#pathdef" />
           </g>
-          <use id="invalid-use1" href="https://svg.example.com/evil.svg" />
+          <use id="invalid-use1" xlink:href="https://svg.example.com/evil.svg" />
           <use id="invalid-use2" href="data:image/svg+xml;base64,#{b64}" />
         </svg>
       XML