Commit c506e6fb authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[TASK] Introduce SVG Sanitizer

This change introduces behavior of extension `t3g/svg-sanitizer` into
the TYPO3 core. Sanitizing SVG data is actually done by external package
`enshrined/svg-sanitize` by Daryll Doyle.

The following aspects are introduced:
+ handle `GeneralUtility::upload_copy_move` invocations
+ handle FAL action events `file-add`, `file-replace`, `set-content`
+ provide upgrade wizard, sanitizing all SVG files in storages that
  are using `LocalDriver`

Custom usage:
```
$sanitizer = new \TYPO3\CMS\Core\Resource\Security\SvgSanitizer();
$sanitizer->sanitizeFile($sourcePath, $targetPath);
$svg = $sanitizer->sanitizeContent($svg);
```

Basically this change enforces following public service announcements
concerning SVG files, to enhance these security aspects per default:
+ https://typo3.org/security/advisory/typo3-psa-2020-003
+ https://typo3.org/security/advisory/typo3-psa-2019-010

Resolves: #94492
Releases: master, 10.4, 9.5
Change-Id: I42c206190d8a335ebaf77b7e5d57b383e3bcbae1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69809

Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 61030c7b
......@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "ca0cef227667409039995378723d0f49",
"content-hash": "4cac8f22e93753a4a2a91e19b3ffaa4e",
"packages": [
{
"name": "bacon/bacon-qr-code",
......@@ -815,6 +815,51 @@
],
"time": "2020-12-29T14:50:06+00:00"
},
{
"name": "enshrined/svg-sanitize",
"version": "0.14.0",
"source": {
"type": "git",
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
"reference": "beff89576a72540ee99476aeb9cfe98222e76fb8"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/beff89576a72540ee99476aeb9cfe98222e76fb8",
"reference": "beff89576a72540ee99476aeb9cfe98222e76fb8",
"shasum": ""
},
"require": {
"ext-dom": "*",
"ext-libxml": "*"
},
"require-dev": {
"codeclimate/php-test-reporter": "^0.1.2",
"phpunit/phpunit": "^6"
},
"type": "library",
"autoload": {
"psr-4": {
"enshrined\\svgSanitize\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"GPL-2.0-or-later"
],
"authors": [
{
"name": "Daryll Doyle",
"email": "daryll@enshrined.co.uk"
}
],
"description": "An SVG sanitizer for PHP",
"support": {
"issues": "https://github.com/darylldoyle/svg-sanitizer/issues",
"source": "https://github.com/darylldoyle/svg-sanitizer/tree/0.14.0"
},
"time": "2021-01-21T10:13:20+00:00"
},
{
"name": "guzzlehttp/guzzle",
"version": "7.2.0",
......
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace TYPO3\CMS\Core\Resource\Security;
use TYPO3\CMS\Core\Resource\Event\AfterFileContentsSetEvent;
use TYPO3\CMS\Core\Resource\Event\BeforeFileAddedEvent;
use TYPO3\CMS\Core\Resource\Event\BeforeFileReplacedEvent;
class SvgEventListener
{
/**
* @var SvgSanitizer
*/
protected $sanitizer;
/**
* @var SvgTypeCheck
*/
protected $typeCheck;
public function __construct(SvgSanitizer $sanitizer, SvgTypeCheck $typeCheck)
{
$this->sanitizer = $sanitizer;
$this->typeCheck = $typeCheck;
}
public function beforeFileAdded(BeforeFileAddedEvent $event): void
{
$filePath = $event->getSourceFilePath();
if ($this->typeCheck->forFilePath($filePath)) {
$this->sanitizer->sanitizeFile($filePath);
}
}
public function beforeFileReplaced(BeforeFileReplacedEvent $event): void
{
$filePath = $event->getLocalFilePath();
if ($this->typeCheck->forFilePath($filePath)) {
$this->sanitizer->sanitizeFile($filePath);
}
}
public function afterFileContentsSet(AfterFileContentsSetEvent $event): void
{
$file = $event->getFile();
if (!$this->typeCheck->forResource($file)) {
return;
}
$content = $event->getContent();
$sanitizedContent = $this->sanitizer->sanitizeContent($content);
// cave: setting content will trigger calling this handler again
// (having custom-flags on `FileInterface` would allow to mark it as "processed")
if ($sanitizedContent !== $content) {
$file->setContents($sanitizedContent);
}
}
}
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace TYPO3\CMS\Core\Resource\Security;
class SvgHookHandler
{
/**
* @var SvgSanitizer
*/
protected $sanitizer;
/**
* @var SvgTypeCheck
*/
protected $typeCheck;
public function __construct(SvgSanitizer $sanitizer, SvgTypeCheck $typeCheck)
{
$this->sanitizer = $sanitizer;
$this->typeCheck = $typeCheck;
}
/**
* @param array $parameters
*/
public function processMoveUploadedFile(array $parameters)
{
$filePath = $parameters['source'] ?? null;
if ($filePath !== null && $this->typeCheck->forFilePath($filePath)) {
$this->sanitizer->sanitizeFile($filePath);
}
}
}
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace TYPO3\CMS\Core\Resource\Security;
use enshrined\svgSanitize\Sanitizer;
class SvgSanitizer
{
/**
* @param string $sourcePath
* @param string|null $targetPath
* @throws \BadFunctionCallException
*/
public function sanitizeFile(string $sourcePath, string $targetPath = null): void
{
if ($targetPath === null) {
$targetPath = $sourcePath;
}
$svg = file_get_contents($sourcePath);
if (!is_string($svg)) {
return;
}
$sanitizedSvg = $this->sanitizeContent($svg);
if ($sanitizedSvg !== $svg) {
file_put_contents($targetPath, $sanitizedSvg);
}
}
/**
* @param string $svg
*
* @return string
* @throws \BadFunctionCallException
*/
public function sanitizeContent(string $svg): string
{
$sanitizer = new Sanitizer();
$sanitizer->removeRemoteReferences(true);
return $sanitizer->sanitize($svg) ?: '';
}
}
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace TYPO3\CMS\Core\Resource\Security;
use TYPO3\CMS\Core\Resource\FileInterface;
use TYPO3\CMS\Core\Resource\MimeTypeDetector;
use TYPO3\CMS\Core\Type\File\FileInfo;
use TYPO3\CMS\Core\Utility\GeneralUtility;
class SvgTypeCheck
{
protected const MIME_TYPES = ['image/svg', 'image/svg+xml', 'application/svg', 'application/svg+xml'];
/**
* @var MimeTypeDetector
*/
protected $mimeTypeDetector;
/**
* @var string[]
*/
protected $fileExtensions;
public function __construct(MimeTypeDetector $mimeTypeDetector)
{
$this->mimeTypeDetector = $mimeTypeDetector;
$this->fileExtensions = $this->resolveFileExtensions();
}
public function forFilePath(string $filePath): bool
{
$fileInfo = GeneralUtility::makeInstance(FileInfo::class, $filePath);
$fileExtension = $fileInfo->getExtension();
$mimeType = $fileInfo->getMimeType();
return in_array($fileExtension, $this->fileExtensions, true)
|| in_array($mimeType, self::MIME_TYPES, true);
}
public function forResource(FileInterface $file): bool
{
$fileExtension = $file->getExtension();
$mimeType = $file->getMimeType();
return in_array($fileExtension, $this->fileExtensions, true)
|| in_array($mimeType, self::MIME_TYPES, true);
}
/**
* @return string[]
*/
protected function resolveFileExtensions(): array
{
$fileExtensions = array_map(
function (string $mimeType): array {
return $this->mimeTypeDetector->getFileExtensionsForMimeType($mimeType);
},
self::MIME_TYPES
);
$fileExtensions = array_filter($fileExtensions);
return count($fileExtensions) > 0 ? array_unique(array_merge(...$fileExtensions)) : [];
}
}
......@@ -187,6 +187,27 @@ services:
identifier: 'synchronize-filemounts-after-folder-renamed'
method: 'synchronizeFilemountsAfterRename'
TYPO3\CMS\Core\Resource\Security\SvgEventListener:
tags:
- name: event.listener
identifier: 'svg-resource-storage-listener-before-file-added'
method: 'beforeFileAdded'
event: TYPO3\CMS\Core\Resource\Event\BeforeFileAddedEvent
- name: event.listener
identifier: 'svg-resource-storage-listener-before-file-replaced'
method: 'beforeFileReplaced'
event: TYPO3\CMS\Core\Resource\Event\BeforeFileReplacedEvent
- name: event.listener
identifier: 'svg-resource-storage-listener-after-file-content-set'
method: 'afterFileContentsSet'
event: TYPO3\CMS\Core\Resource\Event\AfterFileContentsSetEvent
TYPO3\CMS\Core\Resource\Security\SvgHookHandler:
public: true
TYPO3\CMS\Core\Resource\Security\SvgTypeCheck:
public: true
# Core caches, cache.core and cache.assets are injected as early
# entries in TYPO3\CMS\Core\Core\Bootstrap and therefore omitted here
cache.hash:
......
.. include:: ../../Includes.txt
===========================================
Important: #94492 - Introduce SVG Sanitizer
===========================================
See :issue:`94492`
Description
===========
SVG sanitization behavior of extension [`t3g/svg-sanitizer`](https://packagist.org/packages/t3g/svg-sanitizer)
has been introduced into TYPO3 core. Actual processing is done by low-level sanitization package
[`enshrined/svg-sanitize`](https://packagist.org/packages/enshrined/svg-sanitize) by Daryll Doyle.
Introduced aspects
------------------
* handle :php:`GeneralUtility::upload_copy_move` invocations
* handle FAL action events `file-add`, `file-replace`, `set-content`
* provide upgrade wizard, sanitizing all SVG files in storages that
are using :php:`\TYPO3\CMS\Core\Resource\Driver\LocalDriver`
Custom usage
------------
.. code-block:: php
$sanitizer = new \TYPO3\CMS\Core\Resource\Security\SvgSanitizer();
$sanitizer->sanitizeFile($sourcePath, $targetPath);
$svg = $sanitizer->sanitizeContent($svg);
Basically this change enforces following public service announcements
concerning SVG files, to enhance these security aspects per default:
* [TYPO3-PSA-2020-003: Mitigation of Cross-Site Scripting Vulnerabilities in File Upload Handling](https://typo3.org/security/advisory/typo3-psa-2020-003)
* [TYPO3-PSA-2019-010: Cross-Site Scripting Vulnerabilities in File Upload Handling](https://typo3.org/security/advisory/typo3-psa-2019-010)
.. index:: Backend, FAL, Frontend, ext:core
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" id="Ebene_1" x="0px" y="0px" width="400px" height="168px" viewBox="0 0 400 168">
<rect x="0.404" y="0.412" fill="none" width="400" height="168"></rect>
<path d="M164.458,70.495v55.187h-7.691V70.495h-13.622v-6.72h34.934v6.72H164.458z M205.737,96.935v28.747h-7.966V96.935&#10;&#9;l-15.825-33.16h8.485l11.668,25.02l11.676-25.02h8.053L205.737,96.935z M245.705,102.332h-7.429v23.35h-7.698V63.775&#10;&#9;c0,0,7.613-0.625,14.956-0.625c13.438,0,17.331,8.316,17.331,19.195C262.865,95.785,258.261,102.332,245.705,102.332&#10;&#9; M246.585,69.522c-4.859,0-8.31,0.531-8.31,0.531v25.815h8.31c4.956,0,8.409-3.268,8.409-12.907&#10;&#9;C254.995,74.114,252.863,69.522,246.585,69.522 M290.635,126.295c-14.588,0-18.481-10.61-18.481-32.271&#10;&#9;c0-20.789,3.894-30.873,18.481-30.873c14.587,0,18.478,10.084,18.478,30.873C309.113,115.685,305.222,126.295,290.635,126.295&#10;&#9; M290.635,69.605c-7.953,0-10.611,5.4-10.611,24.858c0,19.006,2.658,25.383,10.611,25.383s10.61-6.377,10.61-25.383&#10;&#9;C301.246,75.005,298.588,69.605,290.635,69.605 M331.313,126.295c-4.331,0-10.78-1.321-11.587-1.51v-6.444&#10;&#9;c2.129,0.438,7.608,1.349,11.503,1.349c4.501,0,7.428-3.822,7.428-10.64c0-8.039-1.318-12.286-7.601-12.286H323.8v-6.463h6.362&#10;&#9;c7.176,0,7.515-7.34,7.515-10.873c0-6.99-2.202-9.823-6.621-9.823c-3.89,0-8.323,0.973-10.879,1.506v-6.454&#10;&#9;c0.967-0.179,6.193-1.506,10.696-1.506c9.105,0,14.332,3.892,14.332,17.075c0,6.015-2.132,11.311-6.819,13.002&#10;&#9;c5.397,0.354,7.869,6.277,7.869,14.942C346.255,121.351,341.129,126.295,331.313,126.295"></path>
<path fill="#FF8700" d="M106.074,100.128c-1.247,0.368-2.242,0.506-3.547,0.506c-10.691,0-26.389-37.359-26.389-49.793&#10;&#9;c0-4.577,1.083-6.104,2.613-7.415c-13.084,1.527-28.784,6.329-33.804,12.433c-1.085,1.529-1.745,3.926-1.745,6.98&#10;&#9;c0,19.41,20.718,63.455,35.332,63.455C85.297,126.295,96.696,115.181,106.074,100.128"></path>
<path fill="#FF8700" d="M99.25,42.122c13.52,0,27.049,2.18,27.049,9.812c0,15.483-9.819,34.246-14.832,34.246&#10;&#9;c-8.942,0-20.065-24.867-20.065-37.301C91.403,43.209,93.583,42.122,99.25,42.122"></path>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" id="Ebene_1" x="0px" y="0px" width="400px" height="168px" viewBox="0 0 400 168">
<image></image>
<rect x="0.404" y="0.412" fill="none" width="400" height="168"></rect>
<path d="M164.458,70.495v55.187h-7.691V70.495h-13.622v-6.72h34.934v6.72H164.458z M205.737,96.935v28.747h-7.966V96.935&#10;&#9;l-15.825-33.16h8.485l11.668,25.02l11.676-25.02h8.053L205.737,96.935z M245.705,102.332h-7.429v23.35h-7.698V63.775&#10;&#9;c0,0,7.613-0.625,14.956-0.625c13.438,0,17.331,8.316,17.331,19.195C262.865,95.785,258.261,102.332,245.705,102.332&#10;&#9; M246.585,69.522c-4.859,0-8.31,0.531-8.31,0.531v25.815h8.31c4.956,0,8.409-3.268,8.409-12.907&#10;&#9;C254.995,74.114,252.863,69.522,246.585,69.522 M290.635,126.295c-14.588,0-18.481-10.61-18.481-32.271&#10;&#9;c0-20.789,3.894-30.873,18.481-30.873c14.587,0,18.478,10.084,18.478,30.873C309.113,115.685,305.222,126.295,290.635,126.295&#10;&#9; M290.635,69.605c-7.953,0-10.611,5.4-10.611,24.858c0,19.006,2.658,25.383,10.611,25.383s10.61-6.377,10.61-25.383&#10;&#9;C301.246,75.005,298.588,69.605,290.635,69.605 M331.313,126.295c-4.331,0-10.78-1.321-11.587-1.51v-6.444&#10;&#9;c2.129,0.438,7.608,1.349,11.503,1.349c4.501,0,7.428-3.822,7.428-10.64c0-8.039-1.318-12.286-7.601-12.286H323.8v-6.463h6.362&#10;&#9;c7.176,0,7.515-7.34,7.515-10.873c0-6.99-2.202-9.823-6.621-9.823c-3.89,0-8.323,0.973-10.879,1.506v-6.454&#10;&#9;c0.967-0.179,6.193-1.506,10.696-1.506c9.105,0,14.332,3.892,14.332,17.075c0,6.015-2.132,11.311-6.819,13.002&#10;&#9;c5.397,0.354,7.869,6.277,7.869,14.942C346.255,121.351,341.129,126.295,331.313,126.295"></path>
<path fill="#FF8700" d="M106.074,100.128c-1.247,0.368-2.242,0.506-3.547,0.506c-10.691,0-26.389-37.359-26.389-49.793&#10;&#9;c0-4.577,1.083-6.104,2.613-7.415c-13.084,1.527-28.784,6.329-33.804,12.433c-1.085,1.529-1.745,3.926-1.745,6.98&#10;&#9;c0,19.41,20.718,63.455,35.332,63.455C85.297,126.295,96.696,115.181,106.074,100.128"></path>
<path fill="#FF8700" d="M99.25,42.122c13.52,0,27.049,2.18,27.049,9.812c0,15.483-9.819,34.246-14.832,34.246&#10;&#9;c-8.942,0-20.065-24.867-20.065-37.301C91.403,43.209,93.583,42.122,99.25,42.122"></path>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" id="Ebene_1" x="0px" y="0px" width="400px" height="168px" viewBox="0 0 400 168">
<rect x="0.404" y="0.412" fill="none" width="400" height="168"></rect>
<path d="M164.458,70.495v55.187h-7.691V70.495h-13.622v-6.72h34.934v6.72H164.458z M205.737,96.935v28.747h-7.966V96.935&#10;&#9;l-15.825-33.16h8.485l11.668,25.02l11.676-25.02h8.053L205.737,96.935z M245.705,102.332h-7.429v23.35h-7.698V63.775&#10;&#9;c0,0,7.613-0.625,14.956-0.625c13.438,0,17.331,8.316,17.331,19.195C262.865,95.785,258.261,102.332,245.705,102.332&#10;&#9; M246.585,69.522c-4.859,0-8.31,0.531-8.31,0.531v25.815h8.31c4.956,0,8.409-3.268,8.409-12.907&#10;&#9;C254.995,74.114,252.863,69.522,246.585,69.522 M290.635,126.295c-14.588,0-18.481-10.61-18.481-32.271&#10;&#9;c0-20.789,3.894-30.873,18.481-30.873c14.587,0,18.478,10.084,18.478,30.873C309.113,115.685,305.222,126.295,290.635,126.295&#10;&#9; M290.635,69.605c-7.953,0-10.611,5.4-10.611,24.858c0,19.006,2.658,25.383,10.611,25.383s10.61-6.377,10.61-25.383&#10;&#9;C301.246,75.005,298.588,69.605,290.635,69.605 M331.313,126.295c-4.331,0-10.78-1.321-11.587-1.51v-6.444&#10;&#9;c2.129,0.438,7.608,1.349,11.503,1.349c4.501,0,7.428-3.822,7.428-10.64c0-8.039-1.318-12.286-7.601-12.286H323.8v-6.463h6.362&#10;&#9;c7.176,0,7.515-7.34,7.515-10.873c0-6.99-2.202-9.823-6.621-9.823c-3.89,0-8.323,0.973-10.879,1.506v-6.454&#10;&#9;c0.967-0.179,6.193-1.506,10.696-1.506c9.105,0,14.332,3.892,14.332,17.075c0,6.015-2.132,11.311-6.819,13.002&#10;&#9;c5.397,0.354,7.869,6.277,7.869,14.942C346.255,121.351,341.129,126.295,331.313,126.295"></path>
<path fill="#FF8700" d="M106.074,100.128c-1.247,0.368-2.242,0.506-3.547,0.506c-10.691,0-26.389-37.359-26.389-49.793&#10;&#9;c0-4.577,1.083-6.104,2.613-7.415c-13.084,1.527-28.784,6.329-33.804,12.433c-1.085,1.529-1.745,3.926-1.745,6.98&#10;&#9;c0,19.41,20.718,63.455,35.332,63.455C85.297,126.295,96.696,115.181,106.074,100.128"></path>
<path fill="#FF8700" d="M99.25,42.122c13.52,0,27.049,2.18,27.049,9.812c0,15.483-9.819,34.246-14.832,34.246&#10;&#9;c-8.942,0-20.065-24.867-20.065-37.301C91.403,43.209,93.583,42.122,99.25,42.122"></path>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<svg version="1" id="cat" viewBox="0 0 720 800" aria-labelledby="catTitle catDesc" role="img">
<title id="catTitle">Pixels, My Super-friendly Cat</title>
<desc id="catDesc">An illustrated gray cat with bright green blinking eyes.</desc>
<path id="tail" data-name="tail" class="cls-1" d="M545.9,695.9c8,28.2,23.2,42.3,27.2,46.9,21.4,24.1,41.5,40.2,81.1,42.9s65.4-14.2,60.8-26.8-23.1-9.1-51.3-8.3c-35.2.9-66.6-31.3-74.8-63.9s-7.9-63.8-36.8-85.5c-44.1-33-135.6-7.1-159.8-3.4s-48.4,52.5-9.6,45.1,91.4-23.1,123.2-12.7C537.8,640.4,537.9,667.7,545.9,695.9Z" transform="translate(-9.7 -9.3)"></path>
<g id="body">
<path id="bg" class="cls-2" d="M447.9,502.1c2.1,151.7-108.3,167-216.5,167S9.7,663.8,9.7,510.9,85,242.9,231.3,241,445.8,350.4,447.9,502.1h0Z" transform="translate(-9.7 -9.3)"></path>
<g id="leftleg">
<path id="leg" class="cls-1" d="M195.6,671.5c-34.2-7.7-40.6-95.6-53.3-191-12-90-90.1-177.2-55.1-177.2s145.7,12,151.4,87.7S261.5,686.5,195.6,671.5Z" transform="translate(-9.7 -9.3)"></path>
<path id="foot" class="cls-3" d="M172.2,688.1c31.6,2.1,56.6-8.7,59.8-32.4s-22.1-49.5-27.3-24.3c25-16.4-39.1-29.4-27.6-3.9,14-24.9-49.6-19.2-31.9-.1-6.5-27.2-35.6,8.2-30.1,29.3C121.5,681.8,140.5,686,172.2,688.1Z" transform="translate(-9.7 -9.3)"></path>
</g>
<g id="rightleg">
<path id="leg-2" data-name="leg" class="cls-1" d="M260.4,670.4c42.4-9.2,48.7-87.7,53.9-185.2,5.1-96,98.2-176.1,63.1-176.1s-164,15.7-164,111.8C213.4,420.9,199.1,683.7,260.4,670.4Z" transform="translate(-9.7 -9.3)"></path>
<path id="foot-2" data-name="foot" class="cls-3" d="M279.4,689.8c-31.7,2-56.6-9-59.6-32.6s22.3-49.4,27.4-24.1c-24.9-16.5,39.2-29.2,27.6-3.8-13.9-25,49.7-18.9,31.9,0,6.6-27.1,35.6,8.4,30,29.4-6.7,25-25.7,29.1-57.3,31.1h0Z" transform="translate(-9.7 -9.3)"></path>
</g>
<path id="tuft" aria-haspopup="false" class="cls-3" d="M80,331.2c3.5,9.5,1.2,28.9,4.3,32.7s31.5-30,43-20.6c10.7,8.7,1.7,55.9,12.9,64.5,10.1,7.7,32.1-50.6,52.5-38.7,24.9,14.6,34.1,49.9,49,49.9,18.3,0,7.5-49.5,24.1-53.3s46.1,52.6,60.2,45.6c4.8-2.4,3-50.4,12-57.6,8.7-6.9,30.5,22.4,33.5,18.9,3.7-4.1.1-23.1,8.6-36.1,3.4-5.2,18.9-2.6,28.8-.4a3.46,3.46,0,0,0,3.7-5.2c-19.6-30.8-100-147.4-184.2-147.4-93.3,0-150.9,86.8-178.1,141.6a3.43,3.43,0,0,0,3.6,4.9C63,328.4,78.4,326.6,80,331.2Z" transform="translate(-9.7 -9.3)"></path>
</g>
<g id="head">
<path id="collar" class="cls-4" d="M367,231.1c5.7,36.1-4.7,71-97.8,85.6s-184-18.5-189.7-54.5,16.7-17.3,109.8-31.9,172-35.3,177.7.8" transform="translate(-9.7 -9.3)"></path>
<g id="bg-2" data-name="bg">
<path class="cls-1" d="M362.5,229.5C339.7,279,273.1,299.4,225,300c-60.6.7-134.7-29.5-153.5-86.4C45.6,135.4,132.2,32.6,225,35.8c96.1,3.4,171.7,119.4,137.5,193.7" transform="translate(-9.7 -9.3)"></path>
<path class="cls-5" d="M362.5,229.5C339.7,279,273.1,299.4,225,300c-60.6.7-134.7-29.5-153.5-86.4C45.6,135.4,132.2,32.6,225,35.8,321.1,39.2,396.7,155.2,362.5,229.5Z" transform="translate(-9.7 -9.3)"></path>
</g>
<g id="leftear" aria-label="Left Ear">
<path id="outer" class="cls-1" d="M92.7,117c-2.6,4.7-14.7-16.1-16.5-45-3.3-27.7,3.7-63.4,5.4-62C80.7,8,117,10,143,20c27.5,8.9,44.7,25.7,39.5,27.1-30,23.4-59.9,46.6-89.8,69.9" transform="translate(-9.7 -9.3)"></path>
<path id="inner" class="cls-6" d="M105.8,106.9C103.9,110.3,95.3,95.5,94,75c-2.3-19.6,2.6-44.9,3.8-44-0.6-1.4,25.1,0,43.6,7.1,19.5,6.3,31.7,18.2,28,19.2q-31.8,24.9-63.6,49.6" transform="translate(-9.7 -9.3)"></path>
</g>
<path id="mask" class="cls-2" d="M338.4,142.5c-2.2,3.3,19.4,19.6,17.2,23.2s-24.3-7.8-25.8-5.2c-1.9,3.3,33.4,24.1,31,29.2-2.3,4.9-34-14.4-84.3-18.1a141.76,141.76,0,0,1-16.4-2.1,91.21,91.21,0,0,1-13.7-3.9c-19.8-6.9-27.7-10.6-32.7-12-19.3-5.7-26.8,11.3-68.1,22.4-18.8,5-37.9,9.7-54.4,0-2.1-1.3-13.6-8.3-16.7-21.1-0.9-3.6-2.8-15.2,10.5-34C146.3,34.3,216.5,34,217.3,34a131.52,131.52,0,0,1,58.4,14.3c-7.6,4.9-11.2,9.5-9,10.1,21.5,16.5,43.1,33,64.6,49.5,0.9,1.7,3.6-1.3,6.3-7.3,19.3,30.5,22.1,41.5,18.9,44.3-3.8,3.6-16.4-4.8-18.1-2.4" transform="translate(-9.7 -9.3)"></path>
<g id="rightear">
<path id="outer-2" data-name="outer" class="cls-2" d="M344.9,119.9c2.6,4.7,14.7-16.1,16.5-45,3.3-27.7-3.7-63.4-5.4-62,0.9-2-35.4,0-61.4,10-27.5,8.9-44.7,25.7-39.5,27.1q44.85,35,89.8,69.9" transform="translate(-9.7 -9.3)"></path>
<path id="inner-2" data-name="inner" class="cls-6" d="M343.5,76.2a77.83,77.83,0,0,1-5.6,24.6c-15.1-20.3-36-39.8-61-52.4a82,82,0,0,1,19.2-9.1c18.5-7.1,44.2-8.5,43.6-7.1,1.2-.9,6.1,24.4,3.8,44" transform="translate(-9.7 -9.3)"></path>
</g>
<g id="nose">
<path class="cls-7" d="M205.1,201.8l-10.6-18.3a9,9,0,0,1,7.7-13.4h21.2a8.9,8.9,0,0,1,7.7,13.4l-10.6,18.3a8.91,8.91,0,0,1-15.4,0" transform="translate(-9.7 -9.3)"></path>
<path class="cls-6" d="M194.2,175.1a9,9,0,0,0,.3,8.4l10.6,18.3a8.92,8.92,0,0,0,15.5,0l8.7-15c-5.8-6.2-19.3-10.1-35.1-11.7" transform="translate(-9.7 -9.3)"></path>
</g>
<g id="mouth">
<path class="cls-8" d="M166.7,260.4c-24.4,0-44.1-25-44.1-55.9m88.2,0c0,30.9-19.7,55.9-44.1,55.9m89.9,0c24.4,0,44.1-25,44.1-55.9m-88.2,0c0,30.9,19.7,55.9,44.1,55.9" transform="translate(-9.7 -9.3)"></path>
<path class="cls-9" d="M300.7,204.5a65.16,65.16,0,0,1-8,32" transform="translate(-9.7 -9.3)"></path>
</g>
<path id="wiskers" class="cls-10" d="M188.7,198.4c0-12.9-72.7-23.3-162.6-23.3m162.6,36.2c0-7.1-65.8-12.9-147.1-12.9m196,1.3c1.4-12.8,74.8-15.6,164.1-6.2m-165.4,19c0.7-7.1,66.8-5.9,147.6,2.6" transform="translate(-9.7 -9.3)"></path>
<g id="lefteye" class="eye">
<path id="iris" class="cls-4" d="M188.6,141.5s-18.3,12.3-35.8,7.9-30-15.2-27.7-24c1.5-6,9.6-9.6,20.2-9.8a59.5,59.5,0,0,1,15.7,1.9,35.75,35.75,0,0,1,12.5,6.2,60,60,0,0,1,15.1,17.8" transform="translate(-9.7 -9.3)"></path>
<path class="cls-11" d="M125.1,123.6c1.5-6,9.6-9.6,20.1-9.8a59.5,59.5,0,0,1,15.7,1.9,35.75,35.75,0,0,1,12.5,6.2,59.47,59.47,0,0,1,15.2,17.8" transform="translate(-9.7 -9.3)"></path>
<path id="pupil" class="cls-12" d="M172.9,124.3c-2.3,9.2-10.7,15-18.7,13s-12.5-11.1-10.2-20.4a22.39,22.39,0,0,1,1.1-3.1,59.5,59.5,0,0,1,15.7,1.9,35.75,35.75,0,0,1,12.5,6.2,8.6,8.6,0,0,1-.4,2.4" transform="translate(-9.7 -9.3)"></path>
<path id="eyelash" class="cls-13" d="M124.9,121.5c-7.6,2.6-17.1-4.7-21.1-16.3m33.6,9.5c-7.5,2.9-17.3-4-21.7-15.5m36.7,14.6c-8.1-.1-14.5-10.2-14.3-22.6" transform="translate(-9.7 -9.3)"></path>
<path id="reflection" class="cls-14" d="M156.8,122c0,3.6-2.6,6.4-5.8,6.4s-5.8-2.9-5.8-6.4,2.6-6.4,5.8-6.4,5.8,2.9,5.8,6.4" transform="translate(-9.7 -9.3)"></path>
</g>
<g id="righteye" class="eye">
<path id="iris-2" data-name="iris" class="cls-4" d="M241.4,143.6s18.5,11.9,36,7.1,29.6-15.8,27.2-24.6c-1.7-6-9.8-9.4-20.3-9.4a59.21,59.21,0,0,0-15.6,2.2,37.44,37.44,0,0,0-12.4,6.4,60.14,60.14,0,0,0-14.9,18.3" transform="translate(-9.7 -9.3)"></path>
<path id="lid" class="cls-11" d="M304.5,124.4c-1.7-6-9.8-9.4-20.3-9.4a59.21,59.21,0,0,0-15.6,2.2,37.44,37.44,0,0,0-12.4,6.4,61.21,61.21,0,0,0-14.9,18.1" transform="translate(-9.7 -9.3)"></path>
<path id="pupil-2" data-name="pupil" class="cls-12" d="M256.7,126.1c2.5,9.2,11,14.8,18.9,12.6s12.3-11.4,9.8-20.6a16.59,16.59,0,0,0-1.2-3.1,59.21,59.21,0,0,0-15.6,2.2,37.44,37.44,0,0,0-12.4,6.4,9.23,9.23,0,0,0,.5,2.5" transform="translate(-9.7 -9.3)"></path>
<path id="eyelash-2" data-name="eyelash" class="cls-13" d="M302.9,122.3c7.7,2.5,17-5,20.8-16.8M292,115.7c7.6,2.8,17.2-4.4,21.4-16M277,115.1c8.1-.3,14.3-10.5,13.9-22.8" transform="translate(-9.7 -9.3)"></path>
<path id="reflection-2" data-name="reflection" class="cls-14" d="M271.1,127.1c0,3.6-2.6,6.5-5.8,6.5s-5.8-2.9-5.8-6.5,2.6-6.4,5.8-6.4,5.8,2.9,5.8,6.4" transform="translate(-9.7 -9.3)"></path>
</g>
</g>
</svg>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg">
<text x="0" y="20" font-size="20">&lab;</text>
</svg>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg">
<text x="0" y="20" font-size="20">&lab2;</text>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" xml:space="preserve">
<rect x="0" y="0" width="1000" height="1000"></rect>
<rect x="0" y="0" width="1000" height="1000"></rect>
<rect x="0" y="0" width="1000" height="1000"></rect>
<rect x="0" y="0" width="1000" height="1000"></rect>
<rect x="0" y="0" width="1000" height="1000"></rect>
<rect fill="url('/benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
<rect fill="url('#benis.svg')" x="0" y="0" width="1000" height="1000"></rect>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" height="600px" id="Layer_1" width="600px" x="0px" y="0px" xml:space="preserve">
<a>test 1</a>
<a>test 2</a>
<a href="#test3">test 3</a>
<a xlink:href="#test">test 4</a>
<a>test 5</a>
<a>test 6</a>
<a>test 7</a>
<a>test 8</a>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" height="600px" id="Layer_1" width="600px" x="0px" y="0px" xml:space="preserve">
<a>test 1</a>
<a>test 2</a>
<a href="#test3">test 3</a>
<a xlink:href="#test">test 4</a>
<a>test 5</a>
<a>test 6</a>
<a>test 7</a>
<a>test 8</a>
</svg>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1">
<rect x="10" y="10" width="100" height="100" stroke="red" stroke-width="10" fill="white"></rect>
</svg>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1">
<rect x="10" y="10" width="100" height="100" stroke="red" stroke-width="10" fill="white"></rect>
</svg>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment