Fall back to black for non-color values

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/core/Controller/SvgController.php b/core/Controller/SvgController.php
index bbf4e61c60c110aa8174cbe9ccc4636b233c5f3e..b956f724ad8c2350aff1a06c46c48715357f665c 100644 (file)
--- a/core/Controller/SvgController.php
+++ b/core/Controller/SvgController.php
@@ -111,6 +111,7 @@ class SvgController extends Controller {
         *
         * @param string $path
         * @param string $color
+        * @param string $fileName
         * @return DataDisplayResponse|NotFoundResponse
         */
        private function getSvg(string $path, string $color, string $fileName) {

diff --git a/lib/private/Template/IconsCacher.php b/lib/private/Template/IconsCacher.php
index 9cd4f8bca105a1e24b9fc11c78a8b310b6112d28..dd83ce7877506da4f1b2687e370ea31a25d72664 100644 (file)
--- a/lib/private/Template/IconsCacher.php
+++ b/lib/private/Template/IconsCacher.php
@@ -184,6 +184,11 @@ class IconsCacher {
         * @return string
         */
        public function colorizeSvg($svg, $color): string {
+               if (!preg_match('/^[0-9a-f]{3,6}$/i', $color)) {
+                       // Prevent not-sane colors from being written into the SVG
+                       $color = '000';
+               }
+
                // add fill (fill is not present on black elements)
                $fillRe = '/<((circle|rect|path)((?!fill)[a-z0-9 =".\-#():;,])+)\/>/mi';
                $svg = preg_replace($fillRe, '<$1 fill="#' . $color . '"/>', $svg);