sunnysideup/silverstripe-svg-images 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

sunnysideup/silverstripe-svg-images

Composer 安装命令:

composer require sunnysideup/silverstripe-svg-images

包简介

Basic SVG Image support for Silverstripe (Assets/Uploads)

关键字:

README 文档

README

This works as-is with any files added via the AssetAdmin and many_many relations to 'File/Image(/SVGImage)'.

This module exposes the SVG template helpers/methods of the stevie-mayhew/silverstripe-svg module if that's installed (recommended by composer). See 'Usage'.

SVG Security

SVGs may expose a lot of possible attack vectors, most of which are widely known and unpatched. Basically you should consider SVG a browser-executable format comparable to HTML/JS, but with virtually no exploit-protection built into browsers. In some circumstances, eg when parsing XML server side, SVGs could also pose server side risks like file inclusion (XML External Entity attack), fork bombs (Billion laughs) and probably dozens more. See 'Security considerations'.

As a general rule of thumb, only work with trusted SVGs (created & uploaded by trusted users). SVGs loaded through an img tag provide a bit more security (eg no script execution) than inline SVG code.

Installation

Allow svg as an extension on 'File' in config.yml:

File:
  allowed_extensions:
    - svg

Next, add svg to the list of allowed extensions in the htaccess file in the assets folder.

Fresh codebases:

Best option is to resort to many_manys with UploadField::setAllowedMaxFileNumber(1), since File/Upload tries to instantiate the relation's appointed classname for has_ones and so will resort to Image instead of SVGImage.

OR simply tell the injector to use the SVGImage class instead of Image, see Yaml config below (falls back to Image class for regular images).

OR (probably undesirable) set the has_one relation to 'SVGImage' subclass.

Options for existing codebases/sites (or modules):

You may simply change the relation to point to SVGImage class if possible (existing relations may have to be re-added?)

OR Add the following config to have UploadFields for has_one pointing to 'Image' load as SVGImage for .svg files (this is another approach then resorting to many_manys, which may interfere with other modules like FocusedImage which also uses injector for Image)

Injector:
  Image:
    class: SVGImage
  Image_Cached:
    class: SVGImage_Cached

Allowing SVG in scaffolded UploadFields

Scaffolded UploadFields to 'Image' may need to be told to allow SVG images as well (currently fixed in master):

$field->setAllowedFileCategories('image');

It's also possible to temporarily hack the framework /Framework/model/fieldtypes/ForeignKey around line 33 to make scaffolded has_one UploadFields for Image relations allow SVGs (temporarily because this is currently fixed in master).

    ...
    if($hasOneClass && singleton($hasOneClass) instanceof Image) {
        $field = new UploadField($relationName, $title);
        // CHANGE:
        //$field->getValidator()->setAllowedExtensions(array('jpg', 'jpeg', 'png', 'gif'));
        // TO:
        $field->setAllowedFileCategories('image');
    } else ...

Usage

In a SilverStripe template simply treat as you would treat a normal image (minus the formatting/scaling functionality). For scaling/adding classes etc, this module integrates SVG template helpers (stevie-mayhew/silverstripe-svg module required).

<!-- add svg as image -->
<img src="$Image.URL" />

<!-- or, for example when using Foundation interchange to have separate/responsive versions: -->
<img src="$Image_Mobile.URL" data-interchange="[$Image_Desktop.URL, medium]" />
<!-- add inline svg (the raw SVG file will be inserted, see the .SVG helper for more subtle inlining) -->
{$Image.SVG_RAW_Inline}

<!-- Test for SVG and fallback to regular image methods, for example when the image may be multiple formats (eg SVG/PNG/JPG) -->
<% if $Image.IsSVG %> {$Image.SVG_RAW_Inline} <% else %> $Image.SetWidth(1200) <% end_if %>

Additional helper functions for width, height, size, fill & adding extra classes are exposed by the '.SVG' method. (Requires additional module: stevie-mayhew/silverstripe-svg

<!-- add inline svg (slightly sanitized) -->
{$Image.SVG}

<!-- add a part of an SVG by ID inline -->
{$Image.SVG.LimitID('ParticularID')}
<!-- change width -->
{$Image.SVG.width(200)}

<!-- change height -->
{$Image.SVG.height(200)}

<!-- change size (width and height) -->
{$Image.SVG.size(100,100)}

<!-- change fill -->
{$Image.SVG.fill('#FF9933')}

<!-- add class -->
{$Image.SVG.extraClass('awesome-svg')}

These options are also chainable.

{$SVG('name').fill('#45FABD').width(200).height(100).extraClass('awesome-svg')}

Security considerations

Currently I don't know of any way to fully sanitize untrusted SVGs. Regular expressions are not suitable for the job and any PHP XML parsers are vulnerable to at least some attack vectors (like file inclusion). Here's a thorough listing of known attack vectors.

DOMPurify is a browser/JS based library that seems to do a pretty good job (but it's JS/NodeJS, not PHP). PHP based libraries which provide some protection but use (possibly dangerous) XML parsing are svg-sanitizer & SVG Sanitizer.

SVG cropping & additional manipulations (to be added to this module)

http://www.silverstrip.es/blog/svg-in-the-silverstripe-backend/

Cropping can basically be done using viewBox, combined with svg width/height attr (all optional) PHP SVG class (Imagemagick): https://github.com/oscarotero/imagecow Simple rendering SVG>JPG/PNG: http://stackoverflow.com/questions/10289686/rendering-an-svg-file-to-a-png-or-jpeg-in-php

PHP Cairo (PECL, not really an option): http://php.net/manual/en/class.cairosvgsurface.php

PHP SVG Iconizr (CLI CSS/SVG/PNG sprite generator): https://github.com/jkphl/iconizr

sunnysideup/silverstripe-svg-images 适用场景与选型建议

sunnysideup/silverstripe-svg-images 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.39k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2019 年 11 月 28 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「silverstripe」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 sunnysideup/silverstripe-svg-images 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 sunnysideup/silverstripe-svg-images 我们能提供哪些服务?
定制开发 / 二次开发

基于 sunnysideup/silverstripe-svg-images 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 1.39k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 14
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 20
  • 开发语言: PHP

其他信息

  • 授权协议: Unknown
  • 更新时间: 2019-11-28