Merge pull request #16021 from nextcloud/bugfix/noid/fall-back-to-black-for-non-color-values

Fall back to black for non-color values

2 files changed, 6 insertions, 0 deletions

diff --git a/core/Controller/SvgController.php b/core/Controller/SvgController.php
index bbf4e61c60c..b956f724ad8 100644
--- a/core/Controller/SvgController.php
+++ b/core/Controller/SvgController.php
@@ -111,6 +111,7 @@ class SvgController extends Controller {
 	 *
 	 * @param string $path
 	 * @param string $color
+	 * @param string $fileName
 	 * @return DataDisplayResponse|NotFoundResponse
 	 */
 	private function getSvg(string $path, string $color, string $fileName) {
diff --git a/lib/private/Template/IconsCacher.php b/lib/private/Template/IconsCacher.php
index 9cd4f8bca10..dd83ce78775 100644
--- a/lib/private/Template/IconsCacher.php
+++ b/lib/private/Template/IconsCacher.php
@@ -184,6 +184,11 @@ class IconsCacher {
 	 * @return string
 	 */
 	public function colorizeSvg($svg, $color): string {
+		if (!preg_match('/^[0-9a-f]{3,6}$/i', $color)) {
+			// Prevent not-sane colors from being written into the SVG
+			$color = '000';
+		}
+
 		// add fill (fill is not present on black elements)
 		$fillRe = '/<((circle|rect|path)((?!fill)[a-z0-9 =".\-#():;,])+)\/>/mi';
 		$svg = preg_replace($fillRe, '<$1 fill="#' . $color . '"/>', $svg);