From 99b5584ad9f2690ab2c0fb7e382d98bc15cccd99 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Wed, 13 Aug 2025 19:17:54 -0700 Subject: [PATCH] Fix handling of quotes in SVG. PHP is confusing. I assumed that htmlspecialchars( $foo, ENT_XML1 ) would escape quote characters, but turns out you also need to provide | ENT_QUOTES. An example file where this causes a problem is File:Parkinsons-disease-prevalence-ihme,World,2021.svg --- src/php/File/SvgFile.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/php/File/SvgFile.php b/src/php/File/SvgFile.php index 82f1ef9..96e3102 100644 --- a/src/php/File/SvgFile.php +++ b/src/php/File/SvgFile.php @@ -173,9 +173,9 @@ public function crop($srcPath, $destPath, $method, $coords, $rotation) $openingElm = '<' . $reader->name; $closingElm = 'name . '>'; - $openingElm .= ' width="' . htmlspecialchars( $coords['width'], ENT_XML1 ) . '"'; - $openingElm .= ' height="' . htmlspecialchars( $coords['height'], ENT_XML1 ) . '"'; - $openingElm .= ' viewBox="' . htmlspecialchars( $newViewBox, ENT_XML1 ) . '"'; + $openingElm .= ' width="' . htmlspecialchars( $coords['width'], ENT_XML1 | ENT_QUOTES ) . '"'; + $openingElm .= ' height="' . htmlspecialchars( $coords['height'], ENT_XML1 | ENT_QUOTES ) . '"'; + $openingElm .= ' viewBox="' . htmlspecialchars( $newViewBox, ENT_XML1 | ENT_QUOTES ) . '"'; while( $reader->moveToNextAttribute() ) { if ( $reader->namespaceURI === '' && @@ -183,7 +183,7 @@ public function crop($srcPath, $destPath, $method, $coords, $rotation) continue; } $openingElm .= ' ' . $reader->name . '='; - $openingElm .= '"' . htmlspecialchars( $reader->value, ENT_XML1 ) . '"'; + $openingElm .= '"' . htmlspecialchars( $reader->value, ENT_XML1 | ENT_QUOTES ) . '"'; } $openingElm .= '>';