+
{{ course.title }}
diff --git a/frontend/src/utils/index.js b/frontend/src/utils/index.js
index bbfd6373..eba86850 100644
--- a/frontend/src/utils/index.js
+++ b/frontend/src/utils/index.js
@@ -487,14 +487,39 @@ export function singularize(word) {
)
}
-export const validateFile = (file, showToast = true) => {
- if (!file.type.startsWith('image/')) {
- const errorMessage = __('Only image file is allowed.')
- if (showToast) {
- toast.error(errorMessage)
- }
- return errorMessage
+export const validateFile = async (file, showToast = true) => {
+ const error = (msg) => {
+ if (showToast) toast.error(msg)
+ console.error(msg)
+ return msg
}
+
+ if (!file.type.startsWith('image/')) {
+ return error(__('Only image file is allowed.'))
+ }
+
+ if (file.type === 'image/svg+xml') {
+ const text = await file.text()
+
+ const blacklist = [
+ /
]/i,
+ /on\w+=["']?/i,
+ /javascript:/i,
+ /data:/i,
+ /]/i,
+ /]/i,
+ /]/i,
+ /]/i,
+ ]
+
+ for (const pattern of blacklist) {
+ if (pattern.test(text)) {
+ return error(__('SVG contains potentially unsafe content.'))
+ }
+ }
+ }
+
+ return null
}
export const escapeHTML = (text) => {